CVE-2016-10526

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.
References
Link Resource
https://nodesecurity.io/advisories/85 Third Party Advisory
https://github.com/tschaub/grunt-gh-pages/pull/41 Third Party Advisory
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:grunt-gh-pages_project:grunt-gh-pages:*:*:*:*:*:node.js:*:*

Information

Published : 2018-05-31 13:29

Updated : 2019-10-09 16:16


NVD link : CVE-2016-10526

Mitre link : CVE-2016-10526


JSON object : View

CWE
CWE-255

Credentials Management Errors

CWE-532

Insertion of Sensitive Information into Log File

Advertisement

dedicated server usa

Products Affected

grunt-gh-pages_project

  • grunt-gh-pages