{"url":"http://public2.vulnerablecode.io/api/packages/57448?format=json","purl":"pkg:npm/grunt-gh-pages@0.9.1","type":"npm","namespace":"","name":"grunt-gh-pages","version":"0.9.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.10.0","latest_non_vulnerable_version":"1.0.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40689?format=json","vulnerability_id":"VCID-94f2-5d2t-1yar","summary":"Insertion of Sensitive Information into Log File\nA common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.","references":[{"reference_url":"https://github.com/tschaub/grunt-gh-pages/pull/41","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/tschaub/grunt-gh-pages/pull/41"},{"reference_url":"https://nodesecurity.io/advisories/85","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/85"},{"reference_url":"https://www.npmjs.com/advisories/85","reference_id":"","reference_type":"","scores":[],"url":"https://www.npmjs.com/advisories/85"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10526","reference_id":"CVE-2016-10526","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10526"},{"reference_url":"https://github.com/advisories/GHSA-rrj3-qmh8-72pf","reference_id":"GHSA-rrj3-qmh8-72pf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rrj3-qmh8-72pf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57449?format=json","purl":"pkg:npm/grunt-gh-pages@0.10.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/grunt-gh-pages@0.10.0"}],"aliases":["CVE-2016-10526","GHSA-rrj3-qmh8-72pf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-94f2-5d2t-1yar"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/grunt-gh-pages@0.9.1"}