Skip to content

Github Token Leak in aegir

High severity GitHub Reviewed Published Jul 24, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm aegir (npm)

Affected versions

>= 12.0.0, <= 12.0.7

Patched versions

12.0.8

Description

Affected versions of aegir bundle and publish the current users github token to npm when aegir-release is executed.

Recommendation

Update to version 12.0.8 or later.

If you used this module to do a release for your project you should invalidate the GitHub tokens that were leaked.

References

Published to the GitHub Advisory Database Jul 24, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

0.168%
(55th percentile)

Weaknesses

CVE ID

CVE-2017-16225

GHSA ID

GHSA-6xhf-x49c-m5m6

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.