Miggo Logo

CVE-2017-16225: Github Token Leak in aegir

5

CVSS Score

Basic Information

EPSS Score
0.54157%
Published
7/24/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
aegirnpm>= 12.0.0, <= 12.0.712.0.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The security patch modifies utils.js's getEnv() function to explicitly exclude the AEGIR_GHTOKEN environment variable from being included in the processed environment variables. This directly addresses the information exposure vulnerability by preventing the GitHub token from being bundled during aegir-release execution. The function would appear in runtime profiling as it's responsible for collecting environment variables during package publication.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `***ir` *un*l* *n* pu*lis* t** *urr*nt us*rs *it*u* tok*n to npm w**n `***ir-r*l**s*` is *x**ut**. ## R**omm*n**tion Up**t* to v*rsion **.*.* or l*t*r. I* you us** t*is mo*ul* to *o * r*l**s* *or your proj**t you s*oul* inv*l

Reasoning

T** s**urity p*t** mo*i*i*s `utils.js`'s `**t*nv()` *un*tion to *xpli*itly *x*lu** t** ***IR_**TOK*N *nvironm*nt v*ri**l* *rom **in* in*lu*** in t** pro**ss** *nvironm*nt v*ri**l*s. T*is *ir**tly ***r*ss*s t** in*orm*tion *xposur* vuln*r**ility *y pr