Vulnerability-Lookup

CVE-2020-5262 (GCVE-0-2020-5262)

Vulnerability from cvelistv5 – Published: 2020-03-19 17:05 – Updated: 2024-08-04 08:22

Title

GitHub personal access token leaking into temporary EasyBuild (debug) logs

Summary

In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the `master`+ `develop` branches of the `easybuild-framework` repository.

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-532 - Insertion of Sensitive Information into Log File

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	easybuilders	easybuild-framework	Affected: < 4.1.2

GSD-2020-5262

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-5262

Aliases

CVE-2020-5262

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-5262",
    "description": "In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the `master`+ `develop` branches of the `easybuild-framework` repository.",
    "id": "GSD-2020-5262"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-5262"
      ],
      "details": "In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the `master`+ `develop` branches of the `easybuild-framework` repository.",
      "id": "GSD-2020-5262",
      "modified": "2023-12-13T01:22:03.615938Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-5262",
        "STATE": "PUBLIC",
        "TITLE": "GitHub personal access token leaking into temporary EasyBuild (debug) logs"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "easybuild-framework",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 4.1.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "easybuilders"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the `master`+ `develop` branches of the `easybuild-framework` repository."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-532: Insertion of Sensitive Information into Log File"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm",
            "refsource": "CONFIRM",
            "url": "https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm"
          },
          {
            "name": "https://github.com/easybuilders/easybuild-framework/pull/3248",
            "refsource": "MISC",
            "url": "https://github.com/easybuilders/easybuild-framework/pull/3248"
          },
          {
            "name": "https://github.com/easybuilders/easybuild-framework/pull/3249",
            "refsource": "MISC",
            "url": "https://github.com/easybuilders/easybuild-framework/pull/3249"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-2wx6-wc87-rmjm",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c4.1.2",
          "affected_versions": "All versions before 4.1.2",
          "cvss_v2": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-922",
            "CWE-937"
          ],
          "date": "2021-01-26",
          "description": "In EasyBuild and in the `master`+ `develop` branches of the `easybuild-framework` repository.",
          "fixed_versions": [
            "4.1.2"
          ],
          "identifier": "CVE-2020-5262",
          "identifiers": [
            "GHSA-2wx6-wc87-rmjm",
            "CVE-2020-5262"
          ],
          "not_impacted": "All versions starting from 4.1.2",
          "package_slug": "pypi/easybuild-framework",
          "pubdate": "2020-03-19",
          "solution": "Upgrade to version 4.1.2 or above.",
          "title": "Insecure Storage of Sensitive Information",
          "urls": [
            "https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm",
            "https://github.com/easybuilders/easybuild-framework/pull/3248",
            "https://github.com/easybuilders/easybuild-framework/pull/3249",
            "https://github.com/easybuilders/easybuild-framework/commit/210743d0e3618a8ac0a56eb9c0f4fa4fd8ae53b9",
            "https://nvd.nist.gov/vuln/detail/CVE-2020-5262",
            "https://github.com/advisories/GHSA-2wx6-wc87-rmjm"
          ],
          "uuid": "d6e8936e-e114-41a8-8763-8d4366485c99"
        },
        {
          "affected_range": "\u003c4.1.2",
          "affected_versions": "All versions before 4.1.2",
          "cvss_v2": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-922",
            "CWE-937"
          ],
          "date": "2020-03-23",
          "description": "In EasyBuild, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files.",
          "fixed_versions": [
            "4.1.2"
          ],
          "identifier": "CVE-2020-5262",
          "identifiers": [
            "CVE-2020-5262",
            "GHSA-2wx6-wc87-rmjm"
          ],
          "not_impacted": "All versions starting from 4.1.2",
          "package_slug": "pypi/easybuild",
          "pubdate": "2020-03-19",
          "solution": "Upgrade to version 4.1.2 or above.",
          "title": "Insecure Storage of Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-5262"
          ],
          "uuid": "1b264c3b-697e-4028-b907-60c3399aa1c8"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:easybuild_project:easybuild:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.1.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-5262"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the `master`+ `develop` branches of the `easybuild-framework` repository."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-922"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/easybuilders/easybuild-framework/pull/3248",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/easybuilders/easybuild-framework/pull/3248"
            },
            {
              "name": "https://github.com/easybuilders/easybuild-framework/pull/3249",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/easybuilders/easybuild-framework/pull/3249"
            },
            {
              "name": "https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-03-23T18:15Z",
      "publishedDate": "2020-03-19T17:15Z"
    }
  }
}

GHSA-2WX6-WC87-RMJM

Vulnerability from github – Published: 2020-03-19 17:29 – Updated: 2024-09-20 17:31

Summary

GitHub personal access token leaking into temporary EasyBuild (debug) logs

Details

Impact

The GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like --new-pr, --from-pr, etc.) is shown in plain text in EasyBuild debug log files.

Scope:

the log message only appears in the top-level log file, not in the individual software installation logs (see https://easybuild.readthedocs.io/en/latest/Logfiles.html);
- as a consequence, tokens are not included in the partial log files that are uploaded into a gist when using --upload-test-report in combination with --from-pr, nor in the installation logs that are copied to the software installation directories;
the message is only logged when using --debug, so it will not appear when using the default EasyBuild configuration (only info messages are logged by default);
the log message is triggered via --from-pr, but also via various other GitHub integration options like --new-pr, --merge-pr, --close-pr, etc., but usually only appears in the temporary log file that is cleaned up automatically as soon as eb completes successfully;
you may have several debug log files that include your GitHub token in /tmp (or a different location if you've set the --tmpdir EasyBuild configuration option) on the systems where you use EasyBuild, but they are located in a subdirectory that is only accessible to your account (permissions set to 700);
the only way that a log file that may include your token could have been made public is if you shared it yourself, for example by copying the contents of the log file into a gist manually, or by sending a log file to someone;
for log files uploaded to GitHub, your token would be revoked automatically when GitHub notices it;

Patches

The issue is fixed with the changes in https://github.com/easybuilders/easybuild-framework/pull/3248.

This fix is included in EasyBuild v4.1.2 (released on Mon Mar 16th 2020), and in the master+ develop branches of the easybuild-framework repository since Mon Mar 16th 2020 (see https://github.com/easybuilders/easybuild-framework/pull/3248 and https://github.com/easybuilders/easybuild-framework/pull/3249 resp.).

Make sure you revoke the existing GitHub tokens you're using with EasyBuild (via https://github.com/settings/tokens), and install new ones using "eb --install-github-token --force" (see also https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html#installing-a-github-token-install-github-token).

Workarounds

avoid using the GitHub integration features (see https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html) with EasyBuild versions older than version 4.1.2;
don't share top-level EasyBuild (debug) log files with others, unless you are sure your GitHub token is not included in them;
clean up temporary EasyBuild log files in /tmpon the system(s) where you`re using EasyBuild

References

https://github.com/easybuilders/easybuild-framework/pull/3248 (PR that fixes the issue)
(release announcement to EasyBuild mailing list)

For more information

Open an issue in the easybuild-framework repository
Email us at easybuild-admin@lists.ugent.be

Severity ?

7.7 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

9.3 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "easybuild-framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-19T17:04:51Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--from-pr`, etc.) is shown in plain text in EasyBuild debug log files.\n\nScope:\n\n* the log message only appears in the top-level log file, *not* in the individual software installation logs (see https://easybuild.readthedocs.io/en/latest/Logfiles.html);\n    - as a consequence, tokens are *not* included in the partial log files that are uploaded into a gist when using `--upload-test-report` in combination with `--from-pr`, nor in the installation logs that are copied to the software installation directories;\n* the message is only logged when using `--debug`, so it will not appear when using the default EasyBuild configuration (only info messages are logged by default);\n* the log message is triggered via `--from-pr`, but also via various other GitHub integration options like `--new-pr`, `--merge-pr`, `--close-pr`, etc., but usually only appears in the temporary log file that is cleaned up automatically as soon as eb completes successfully;\n* you may have several debug log files that include your GitHub token in `/tmp` (or a different location if you\u0027ve set the `--tmpdir` EasyBuild configuration option) on the systems where you use EasyBuild, but they are located in a subdirectory that is only accessible to your account (permissions set to 700);\n* the only way that a log file that may include your token could have been made public is *if you shared it yourself*, for example by copying the contents of the log file into a gist manually, or by sending a log file to someone;\n* for log files uploaded to GitHub, your token would be revoked automatically when GitHub notices it;\n\n### Patches\n\nThe issue is fixed with the changes in https://github.com/easybuilders/easybuild-framework/pull/3248.\n\nThis fix is included in EasyBuild v4.1.2 (released on Mon Mar 16th 2020), and in the `master`+  `develop` branches of the `easybuild-framework` repository since Mon Mar 16th 2020 (see https://github.com/easybuilders/easybuild-framework/pull/3248 and https://github.com/easybuilders/easybuild-framework/pull/3249 resp.).\n\n**Make sure you revoke the existing GitHub tokens you\u0027re using with EasyBuild** (via https://github.com/settings/tokens), and install new ones using \"`eb --install-github-token --force`\" (see also https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html#installing-a-github-token-install-github-token).\n\n### Workarounds\n\n* avoid using the GitHub integration features (see https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html) with EasyBuild versions older than version 4.1.2;\n* don\u0027t share top-level EasyBuild (debug) log files with others, unless you are sure your GitHub token is not included in them;\n* clean up temporary EasyBuild log files in `/tmp`on the system(s) where you`re using EasyBuild\n\n### References\n\n* https://github.com/easybuilders/easybuild-framework/pull/3248 (PR that fixes the issue)\n* (release announcement to EasyBuild mailing list)\n\n### For more information\n\n* Open an issue in [the `easybuild-framework` repository](https://github.com/easybuilders/easybuild-framework)\n* Email us at [easybuild-admin@lists.ugent.be](mailto:easybuild-admin@lists.ugent.be)",
  "id": "GHSA-2wx6-wc87-rmjm",
  "modified": "2024-09-20T17:31:44Z",
  "published": "2020-03-19T17:29:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5262"
    },
    {
      "type": "WEB",
      "url": "https://github.com/easybuilders/easybuild-framework/pull/3248"
    },
    {
      "type": "WEB",
      "url": "https://github.com/easybuilders/easybuild-framework/pull/3249"
    },
    {
      "type": "WEB",
      "url": "https://github.com/easybuilders/easybuild-framework/commit/210743d0e3618a8ac0a56eb9c0f4fa4fd8ae53b9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/easybuilders/easybuild-framework"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/easybuild-framework/PYSEC-2020-41.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/easybuild/PYSEC-2020-268.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "GitHub personal access token leaking into temporary EasyBuild (debug) logs"
}

CNVD-2020-19503

Vulnerability from cnvd - Published: 2020-03-25

Title

EasyBuild日志信息泄露漏洞

Description

EasyBuild是一款软件构建和安装框架。 EasyBuild 4.1.2之前版本中存在日志信息泄露漏洞。该漏洞源于网络系统或产品的日志文件非正常输出。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

EasyBuild日志信息泄露漏洞的补丁

Patch Description

EasyBuild是一款软件构建和安装框架。 EasyBuild 4.1.2之前版本中存在日志信息泄露漏洞。该漏洞源于网络系统或产品的日志文件非正常输出。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm

Reference

https://github.com/easybuilders/easybuild-framework/pull/3248

Impacted products

Name
EasyBuild EasyBuild <4.1.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-5262",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-5262"
    }
  },
  "description": "EasyBuild\u662f\u4e00\u6b3e\u8f6f\u4ef6\u6784\u5efa\u548c\u5b89\u88c5\u6846\u67b6\u3002\n\nEasyBuild 4.1.2\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u65e5\u5fd7\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u7684\u65e5\u5fd7\u6587\u4ef6\u975e\u6b63\u5e38\u8f93\u51fa\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-19503",
  "openTime": "2020-03-25",
  "patchDescription": "EasyBuild\u662f\u4e00\u6b3e\u8f6f\u4ef6\u6784\u5efa\u548c\u5b89\u88c5\u6846\u67b6\u3002\r\n\r\nEasyBuild 4.1.2\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u65e5\u5fd7\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u7684\u65e5\u5fd7\u6587\u4ef6\u975e\u6b63\u5e38\u8f93\u51fa\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "EasyBuild\u65e5\u5fd7\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "EasyBuild EasyBuild \u003c4.1.2"
  },
  "referenceLink": "https://github.com/easybuilders/easybuild-framework/pull/3248",
  "serverity": "\u4e2d",
  "submitTime": "2020-03-23",
  "title": "EasyBuild\u65e5\u5fd7\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

PYSEC-2020-268

Vulnerability from pysec - Published: 2020-03-19 17:15 - Updated: 2021-11-24 22:46

Details

In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like --new-pr, --fro,-pr, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the master+ develop branches of the easybuild-framework repository.

Impacted products

Name	purl
easybuild	pkg:pypi/easybuild

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "easybuild",
        "purl": "pkg:pypi/easybuild"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.0",
        "1.0.1",
        "1.0.2",
        "1.1.0",
        "1.10.0",
        "1.11.0",
        "1.11.1",
        "1.12.0",
        "1.12.1",
        "1.13.0",
        "1.14.0",
        "1.15.0",
        "1.15.1",
        "1.15.2",
        "1.16.0",
        "1.16.1",
        "1.16.2",
        "1.2.0",
        "1.2.0rc1",
        "1.3.0",
        "1.4.0",
        "1.5.0",
        "1.6.0",
        "1.7.0",
        "1.8.0",
        "1.8.1",
        "1.8.2",
        "1.9.0",
        "2.0.0",
        "2.1.0",
        "2.1.1",
        "2.2.0",
        "2.3.0",
        "2.4.0",
        "2.5.0",
        "2.6.0",
        "2.7.0",
        "2.8.0",
        "2.8.1",
        "2.8.2",
        "2.9.0",
        "3.0.0",
        "3.0.1",
        "3.0.2",
        "3.1.0",
        "3.1.1",
        "3.1.2",
        "3.2.0",
        "3.2.1",
        "3.3.0",
        "3.3.1",
        "3.4.0",
        "3.4.1",
        "3.5.0",
        "3.5.1",
        "3.5.2",
        "3.5.3",
        "3.6.0",
        "3.6.1",
        "3.6.2",
        "3.7.0",
        "3.7.1",
        "3.8.0",
        "3.8.1",
        "3.9.0",
        "3.9.1",
        "3.9.2",
        "3.9.3",
        "3.9.4",
        "4.0.0",
        "4.0.1",
        "4.1.0",
        "4.1.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5262",
    "GHSA-2wx6-wc87-rmjm"
  ],
  "details": "In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the `master`+ `develop` branches of the `easybuild-framework` repository.",
  "id": "PYSEC-2020-268",
  "modified": "2021-11-24T22:46:59.562632Z",
  "published": "2020-03-19T17:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/easybuilders/easybuild-framework/pull/3248"
    },
    {
      "type": "WEB",
      "url": "https://github.com/easybuilders/easybuild-framework/pull/3249"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm"
    }
  ]
}

PYSEC-2020-41

Vulnerability from pysec - Published: 2020-03-19 17:15 - Updated: 2020-03-23 18:15

Details

Impacted products

Name	purl
easybuild-framework	pkg:pypi/easybuild-framework

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "easybuild-framework",
        "purl": "pkg:pypi/easybuild-framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0",
        "1.0.1",
        "1.0.2",
        "1.1.0",
        "1.2.0rc1",
        "1.2.0",
        "1.3.0",
        "1.4.0",
        "1.5.0",
        "1.6.0",
        "1.7.0",
        "1.8.0",
        "1.8.1",
        "1.8.2",
        "1.9.0",
        "1.10.0",
        "1.11.0",
        "1.11.1",
        "1.12.0",
        "1.12.1",
        "1.13.0",
        "1.14.0",
        "1.15.0",
        "1.15.1",
        "1.15.2",
        "1.16.0",
        "1.16.1",
        "1.16.2",
        "2.0.0",
        "2.1.0",
        "2.1.1",
        "2.2.0",
        "2.3.0",
        "2.4.0",
        "2.5.0",
        "2.6.0",
        "2.7.0",
        "2.8.0",
        "2.8.1",
        "2.8.2",
        "2.9.0",
        "3.0.0",
        "3.0.1",
        "3.0.2",
        "3.1.0",
        "3.1.1",
        "3.1.2",
        "3.2.0",
        "3.2.1",
        "3.3.0",
        "3.3.1",
        "3.4.0",
        "3.4.1",
        "3.5.0",
        "3.5.1",
        "3.5.2",
        "3.5.3",
        "3.6.0",
        "3.6.1",
        "3.6.2",
        "3.7.0",
        "3.7.1",
        "3.8.0",
        "3.8.1",
        "3.9.0",
        "3.9.1",
        "3.9.2",
        "3.9.3",
        "3.9.4",
        "4.0.0",
        "4.0.1",
        "4.1.0",
        "4.1.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5262",
    "GHSA-2wx6-wc87-rmjm"
  ],
  "details": "In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the `master`+ `develop` branches of the `easybuild-framework` repository.",
  "id": "PYSEC-2020-41",
  "modified": "2020-03-23T18:15:00Z",
  "published": "2020-03-19T17:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/easybuilders/easybuild-framework/pull/3248"
    },
    {
      "type": "WEB",
      "url": "https://github.com/easybuilders/easybuild-framework/pull/3249"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm"
    }
  ]
}

FKIE_CVE-2020-5262

Vulnerability from fkie_nvd - Published: 2020-03-19 17:15 - Updated: 2024-11-21 05:33

Severity ?

7.7 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/easybuilders/easybuild-framework/pull/3248	Exploit, Third Party Advisory
security-advisories@github.com	https://github.com/easybuilders/easybuild-framework/pull/3249	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/easybuilders/easybuild-framework/pull/3248	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/easybuilders/easybuild-framework/pull/3249	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm	Third Party Advisory

Impacted products

	Vendor	Product	Version
	easybuild_project	easybuild	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:easybuild_project:easybuild:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E97403C7-E917-4667-BC90-39FA6DD8D591",
              "versionEndExcluding": "4.1.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the `master`+ `develop` branches of the `easybuild-framework` repository."
    },
    {
      "lang": "es",
      "value": "En EasyBuild versiones anteriores a 4.1.2, el GitHub Personal Access Token (PAT) usado por EasyBuild para las funcionalidades de integraci\u00f3n de GitHub (como \"--new-pr\",\"--fro, -pr\", etc.) se muestra en texto plano en archivos de registro de depuraci\u00f3n de EasyBuild. Este problema es corregido en EasyBuild versi\u00f3n v4.1.2 y en las derivaciones \"master\"+\" develop\" del repositorio \"easybuild-framework\"."
    }
  ],
  "id": "CVE-2020-5262",
  "lastModified": "2024-11-21T05:33:47.540",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-03-19T17:15:13.000",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/easybuilders/easybuild-framework/pull/3248"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/easybuilders/easybuild-framework/pull/3249"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/easybuilders/easybuild-framework/pull/3248"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/easybuilders/easybuild-framework/pull/3249"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-922"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-5262 (GCVE-0-2020-5262)

GSD-2020-5262

GHSA-2WX6-WC87-RMJM

Impact

Patches

Workarounds

References

For more information

CNVD-2020-19503

PYSEC-2020-268

PYSEC-2020-41

FKIE_CVE-2020-5262

Tags

Sightings

Nomenclature