CVE-2022-39304 — JWT leak in github.com/bradleyfalzon/ghinstallation

Description

Errors returned by ghinstallation.Transport can include the JWT used for the failed operation. If the error is exposed to an untrusted party, this JWT could be extracted and used to authenticate further requests.

How to fix CVE-2022-39304

To remediate CVE-2022-39304, upgrade the affected package to a fixed version below.

Go/github.com/bradleyfalzon/ghinstallation—upgrade to 2.0.0 or later
—upgrade to 1.1.2-0.20210308182858-d24f14f8be70 or later

Is CVE-2022-39304 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.0.0
from 0, < 1.1.2-0.20210308182858-d24f14f8be70

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.0	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-39304
ADVISORYsecuritylab.github.com/advisories/GHSL-2022-061_ghinstallation
PATCHgithub.com/bradleyfalzon/ghinstallation
WEBdocs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation