CVE-2020-5262

Name of the Vulnerable Software and Affected Versions EasyBuild versions prior to 4.1.2

Description The GitHub Personal Access Token (PAT) used by EasyBuild for GitHub integration features is shown in plain text in EasyBuild debug log files. This issue is triggered when using options like --new-pr, --from-pr, etc., and the log message only appears when using --debug. The message is logged in the top-level log file, but not in individual software installation logs. The token would be revoked automatically by GitHub if a log file containing it is uploaded to GitHub.

Recommendations For EasyBuild versions prior to 4.1.2, update to EasyBuild version 4.1.2 or later to resolve the issue. Additionally, revoke existing GitHub tokens used with EasyBuild and install new ones using eb --install-github-token --force. As a temporary workaround, avoid using GitHub integration features with affected EasyBuild versions, do not share top-level EasyBuild debug log files, and clean up temporary EasyBuild log files in /tmp.