{
  "schema_version": "1.4.0",
  "id": "GHSA-h4q8-96p6-jcgr",
  "modified": "2022-12-19T22:48:32Z",
  "published": "2022-12-19T22:48:32Z",
  "aliases": [
    "CVE-2022-39304"
  ],
  "summary": "ghinstallation returns app JWT in error responses",
  "details": "### Impact\n\nIn ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging.\n\nhttps://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174\n\nThe request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum).\n\n### Patches\n\n- This has already been patched in d24f14f8be70d94129d76026e8b0f4f9170c8c3e, and is available in releases >= v2.0.0.\n\n### References\n_Are there any links users can visit to find out more?_\n\n- See https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation for the App installation flow.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [ghinstallation](https://github.com/bradleyfalzon/ghinstallation)\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/bradleyfalzon/ghinstallation"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bradleyfalzon/ghinstallation/security/advisories/GHSA-h4q8-96p6-jcgr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39304"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bradleyfalzon/ghinstallation/commit/d24f14f8be70d94129d76026e8b0f4f9170c8c3e"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bradleyfalzon/ghinstallation"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1178"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2022-061_ghinstallation"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-19T22:48:32Z",
    "nvd_published_at": "2022-12-20T20:15:00Z"
  }
}