Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ3eDYtd2M4Ny1ybWpt
GitHub personal access token leaking into temporary EasyBuild (debug) logs
Impact
The GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like --new-pr, --from-pr, etc.) is shown in plain text in EasyBuild debug log files.
Scope:
- the log message only appears in the top-level log file, not in the individual software installation logs (see https://easybuild.readthedocs.io/en/latest/Logfiles.html);
- as a consequence, tokens are not included in the partial log files that are uploaded into a gist when using
--upload-test-reportin combination with--from-pr, nor in the installation logs that are copied to the software installation directories;
- as a consequence, tokens are not included in the partial log files that are uploaded into a gist when using
- the message is only logged when using
--debug, so it will not appear when using the default EasyBuild configuration (only info messages are logged by default); - the log message is triggered via
--from-pr, but also via various other GitHub integration options like--new-pr,--merge-pr,--close-pr, etc., but usually only appears in the temporary log file that is cleaned up automatically as soon as eb completes successfully; - you may have several debug log files that include your GitHub token in
/tmp(or a different location if you've set the--tmpdirEasyBuild configuration option) on the systems where you use EasyBuild, but they are located in a subdirectory that is only accessible to your account (permissions set to 700); - the only way that a log file that may include your token could have been made public is if you shared it yourself, for example by copying the contents of the log file into a gist manually, or by sending a log file to someone;
- for log files uploaded to GitHub, your token would be revoked automatically when GitHub notices it;
Patches
The issue is fixed with the changes in https://github.com/easybuilders/easybuild-framework/pull/3248.
This fix is included in EasyBuild v4.1.2 (released on Mon Mar 16th 2020), and in the master+ develop branches of the easybuild-framework repository since Mon Mar 16th 2020 (see https://github.com/easybuilders/easybuild-framework/pull/3248 and https://github.com/easybuilders/easybuild-framework/pull/3249 resp.).
Make sure you revoke the existing GitHub tokens you're using with EasyBuild (via https://github.com/settings/tokens), and install new ones using "eb --install-github-token --force" (see also https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html#installing-a-github-token-install-github-token).
Workarounds
- avoid using the GitHub integration features (see https://easybuild.readthedocs.io/en/latest/Integration_with_GitHub.html) with EasyBuild versions older than version 4.1.2;
- don't share top-level EasyBuild (debug) log files with others, unless you are sure your GitHub token is not included in them;
- clean up temporary EasyBuild log files in
/tmpon the system(s) where you`re using EasyBuild
References
- https://github.com/easybuilders/easybuild-framework/pull/3248 (PR that fixes the issue)
- (release announcement to EasyBuild mailing list)
For more information
- Open an issue in the
easybuild-frameworkrepository - Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ3eDYtd2M4Ny1ybWpt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 5 years ago
Updated: 3 months ago
CVSS Score: 7.7
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Percentage: 0.00045
EPSS Percentile: 0.1735
Identifiers: GHSA-2wx6-wc87-rmjm, CVE-2020-5262
References:
- https://github.com/easybuilders/easybuild-framework/security/advisories/GHSA-2wx6-wc87-rmjm
- https://github.com/easybuilders/easybuild-framework/pull/3248
- https://github.com/easybuilders/easybuild-framework/pull/3249
- https://github.com/easybuilders/easybuild-framework/commit/210743d0e3618a8ac0a56eb9c0f4fa4fd8ae53b9
- https://nvd.nist.gov/vuln/detail/CVE-2020-5262
- https://github.com/pypa/advisory-database/tree/main/vulns/easybuild-framework/PYSEC-2020-41.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/easybuild/PYSEC-2020-268.yaml
- https://github.com/advisories/GHSA-2wx6-wc87-rmjm
Blast Radius: 10.6
Affected Packages
pypi:easybuild-framework
Dependent packages: 1Dependent repositories: 24
Downloads: 2,870 last month
Affected Version Ranges: < 4.1.2
Fixed in: 4.1.2
All affected versions: 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.13.0, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.16.1, 1.16.2, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.7.0, 3.7.1, 3.8.0, 3.8.1, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 4.0.0, 4.0.1, 4.1.0, 4.1.1
All unaffected versions: 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.2, 4.8.0, 4.8.1, 4.8.2, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4