Impact
The request
method of the Client
class in vsc.utils.rest
(which is used by the RestClient
class) was including password and tokens in plain text in a debug log message, by exposing the full API request, including the Authorization
part.
An example log message like this:
cli request: GET, /repos/easybuilders/easybuild-easyconfigs/pulls/10064, None, {'Authorization': u'Token deadbeefdeadbeefdeadbeefdeadbeefde', 'User-Agent': 'vsc-rest-client'}
Patches
The problem was fixed in #290, and a new vsc-base
release was published on PyPI (v2.9.6) on Monday March 16th 2020 which includes a fix for the issue: https://pypi.org/project/vsc-base/2.9.6 .
Workarounds
There are no workarounds other than upgrading to the latest version of vsc-base
, or by actively stripping out leaked passwords or token from log files.
We strongly recommend to change passwords that may have leaked because of this issue, and to revoke GitHub personal access tokens (via https://github.com/settings/tokens).
References
See also the EasyBuild security advisory: GHSA-2wx6-wc87-rmjm .
This bug was first uncovered in EasyBuild, where vsc-base
has been ingested recently.
For more information
If you have any questions or comments about this advisory:
Impact
The
request
method of theClient
class invsc.utils.rest
(which is used by theRestClient
class) was including password and tokens in plain text in a debug log message, by exposing the full API request, including theAuthorization
part.An example log message like this:
Patches
The problem was fixed in #290, and a new
vsc-base
release was published on PyPI (v2.9.6) on Monday March 16th 2020 which includes a fix for the issue: https://pypi.org/project/vsc-base/2.9.6 .Workarounds
There are no workarounds other than upgrading to the latest version of
vsc-base
, or by actively stripping out leaked passwords or token from log files.We strongly recommend to change passwords that may have leaked because of this issue, and to revoke GitHub personal access tokens (via https://github.com/settings/tokens).
References
See also the EasyBuild security advisory: GHSA-2wx6-wc87-rmjm .
This bug was first uncovered in EasyBuild, where
vsc-base
has been ingested recently.For more information
If you have any questions or comments about this advisory: