Skip to content

vsc.utils.rest password/token leak in debug logs

High
itkovian published GHSA-w8wc-fcgf-qf44 Mar 19, 2020

Package

vsc-base (PyPI)

Affected versions

< 2.9.6

Patched versions

2.9.6

Description

Impact

The request method of the Client class in vsc.utils.rest (which is used by the RestClient class) was including password and tokens in plain text in a debug log message, by exposing the full API request, including the Authorization part.

An example log message like this:

cli request: GET, /repos/easybuilders/easybuild-easyconfigs/pulls/10064, None, {'Authorization': u'Token deadbeefdeadbeefdeadbeefdeadbeefde', 'User-Agent': 'vsc-rest-client'}

Patches

The problem was fixed in #290, and a new vsc-base release was published on PyPI (v2.9.6) on Monday March 16th 2020 which includes a fix for the issue: https://pypi.org/project/vsc-base/2.9.6 .

Workarounds

There are no workarounds other than upgrading to the latest version of vsc-base, or by actively stripping out leaked passwords or token from log files.

We strongly recommend to change passwords that may have leaked because of this issue, and to revoke GitHub personal access tokens (via https://github.com/settings/tokens).

References

See also the EasyBuild security advisory: GHSA-2wx6-wc87-rmjm .

This bug was first uncovered in EasyBuild, where vsc-base has been ingested recently.

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2020-5262

Weaknesses

No CWEs