CVE-2017-16225: Github Token Leak in aegir
5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.54157%
CWE
Published
7/24/2018
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
aegir | npm | >= 12.0.0, <= 12.0.7 | 12.0.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The security patch modifies utils.js
's getEnv()
function to explicitly exclude the AEGIR_GHTOKEN environment variable from being included in the processed environment variables. This directly addresses the information exposure vulnerability by preventing the GitHub token from being bundled during aegir-release
execution. The function would appear in runtime profiling as it's responsible for collecting environment variables during package publication.