Negligent Parachute Maintainers
grunt-gh-pages

Sensitive Data In Log Files

Severity: moderate

Overview

Versions of grunt-gh-pages prior to 1.0.0 are affected by a vulnerability which may cause unencrypted github credentials to be written to a log file in certain circumstances.

In the grunt-gh-pages deployment scenario where authentication is performed by injecting a github token directly into the auth portion of the URL, grunt-gh-pages will write the token to a log file, unencrypted.

Remediation

Update to version 1.0.0 or later.

Vulnerable versions

0.1.0
5 years ago
0.2.0
5 years ago
0.3.0
5 years ago
0.4.0
5 years ago
0.5.0
5 years ago
0.5.1
5 years ago
0.6.0
5 years ago
0.7.0
5 years ago
0.7.1
5 years ago
0.7.2
5 years ago
0.7.3
5 years ago
0.7.4
5 years ago
0.7.5
5 years ago
0.7.6
5 years ago
0.8.0
5 years ago
0.8.1
5 years ago
0.9.0
5 years ago
0.9.1
4 years ago

Unaffected versions

0.10.0
4 years ago
1.0.0
3 years ago
1.1.0
2 years ago
1.2.0
2 years ago
2.0.0
2 years ago

Resources

Advisory timeline

  1. Published

    Advisory published
    Mar 16th, 2016
  2. Reported

    Initial report by Stephan Bönnemann
    Mar 16th, 2016