Skip to content

Renovate vulnerable to leakage of temporary repository tokens into Pull Request comments

Moderate severity GitHub Reviewed Published Oct 18, 2019 in renovatebot/renovate • Updated Jan 7, 2023

Package

npm renovate (npm)

Affected versions

>= 13.87.0, < 19.38.7

Patched versions

19.38.7

Description

Impact

Temporary repository tokens were leaked into Pull Requests comments in during certain Go Modules update failure scenarios.

Patches

The problem has been patched. Self-hosted users should upgrade to v19.38.7 or later.

Workarounds

Disable Go Modules support.

References

Blog post: https://renovatebot.com/blog/go-modules-vulnerability-disclosure

For more information

If you have any questions or comments about this advisory:

References

@rarkins rarkins published to renovatebot/renovate Oct 18, 2019
Published to the GitHub Advisory Database Oct 21, 2019
Reviewed Jun 16, 2020
Last updated Jan 7, 2023

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-v7x3-7hw7-pcjg

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.