Lookup for vulnerable packages by Package URL.
| Purl | pkg:npm/grunt-gh-pages@0.9.1 |
|---|
| Type | npm |
|---|
| Namespace | |
|---|
| Name | grunt-gh-pages |
|---|
| Version | 0.9.1 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 0.10.0 |
|---|
| Latest_non_vulnerable_version | 1.0.0 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-94f2-5d2t-1yar |
| vulnerability_id |
VCID-94f2-5d2t-1yar |
| summary |
Insertion of Sensitive Information into Log File
A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2016-10526, GHSA-rrj3-qmh8-72pf
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-94f2-5d2t-1yar |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:npm/grunt-gh-pages@0.9.1 |
|---|