CVE-2021-32638

Name of the Vulnerable Software and Affected Versions CodeQL runner (affected versions not specified)

Description The CodeQL runner previously suggested passing a GitHub token as a command-line parameter, making it visible to other processes on the same machine. This approach can expose the GitHub access token beyond its intended scope if the CI system publicly exposes the output of the ps command. Users of the CodeQL runner on 3rd-party systems who pass a GitHub token via the --github-auth flag are affected. The --github-auth flag is now considered insecure and deprecated. To securely provide a GitHub access token, users should use the --github-auth-stdin flag and pass the token via standard input or set the GITHUB TOKEN environment variable.

Recommendations To resolve the issue, update to a recent version of the CodeQL runner. Store a token in your CI system's secret storage mechanism. Pass the token to the CodeQL runner using --github-auth-stdin or the GITHUB TOKEN environment variable. If still using the old flag, ensure that process output, such as from ps, is not persisted in CI logs.