npm

Severity: moderate

Sensitive Data In Log Files

grunt-gh-pages

Overview

Versions of grunt-gh-pages prior to 1.0.0 are affected by a vulnerability which may cause unencrypted github credentials to be written to a log file in certain circumstances.

In the grunt-gh-pages deployment scenario where authentication is performed by injecting a github token directly into the auth portion of the URL, grunt-gh-pages will write the token to a log file, unencrypted.

Remediation

Update to version 1.0.0 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Mar 16th, 2016
  2. reported

    Initial report by Stephan Bönnemann
    Mar 16th, 2016