App JWT returned in error responses < v2.0.0

Impact

In ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging.

ghinstallation/transport.go

Lines 172 to 174 in 24e56b3

    
           if resp.StatusCode/100 != 2 { 
        
           	return fmt.Errorf("request %+v received non 2xx response status %q with body %+v and TLS %+v", resp.Request, resp.Body, resp.Request, resp.TLS) 
        
           }

The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum).

Patches

This has already been patched in d24f14f, and is available in releases >= v2.0.0.

References

Are there any links users can visit to find out more?

See https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation for the App installation flow.

For more information

If you have any questions or comments about this advisory:

Open an issue in ghinstallation

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

App JWT returned in error responses < v2.0.0

Package

Affected versions

Patched versions

Description

Impact

Patches

References

For more information

Severity

CVSS base metrics

CVE ID

Weaknesses

Credits

	if resp.StatusCode/100 != 2 {
	return fmt.Errorf("request %+v received non 2xx response status %q with body %+v and TLS %+v", resp.Request, resp.Body, resp.Request, resp.TLS)
	}