CVE-2022-39304 MEDIUM

CVE-2022-39304: ghinstallation returns app JWT in error responses

Vendor Bradleyfalzon
Product ghinstallation
Weakness CWE-209 · Error message info leak
Published December 20, 2022
Last update April 16, 2025

CVSS base score

5.0/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L

What the vulnerability does

01Description

ghinstallation provides transport, which implements http.RoundTripper to provide authentication as an installation for GitHub Apps. In ghinstallation version 1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging. The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum). This issue has been patched and is available in version 2.0.0.

Key dates

02Disclosure timeline

December 20, 2022 CVE published
April 16, 2025 Record updated