CVE-2022-39304

Name of the Vulnerable Software and Affected Versions ghinstallation versions 1 through 1 ghinstallation version 2.0.0 is not affected as it contains the fix for the issue.

Description The issue concerns ghinstallation, which provides transport implementing http.RoundTripper for authentication as a GitHub App installation. When the request to refresh an installation token failed in version 1, the HTTP request and response were returned for debugging, containing the bearer JWT for the App. This token, although short-lived with a maximum of 10 minutes, could be returned to clients. There is no information provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited.

Recommendations For ghinstallation versions 1, update to version 2.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the ghinstallation.Transport to minimize the risk of exploitation until a patch is applied. Avoid exposing errors returned by ghinstallation.Transport to untrusted parties to prevent potential JWT extraction and misuse.