5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-39304

GHSA ID

GHSA-h4q8-96p6-jcgr

EPSS Score

0.08079%

CWE

CWE-209

Published

12/19/2022

Updated

8/28/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39304

CVE-2022-39304: ghinstallation returns app JWT in error responses

Impact

In ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging.

https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174

The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum).

Patches

This has already been patched in d24f14f8be70d94129d76026e8b0f4f9170c8c3e, and is available in releases >= v2.0.0.

References

Are there any links users can visit to find out more?

See https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation for the App installation flow.

For more information

If you have any questions or comments about this advisory:

Open an issue in ghinstallation

(GitHub Advisory)

5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-39304

GHSA ID

GHSA-h4q8-96p6-jcgr

EPSS Score

0.08079%

CWE

CWE-209

Published

12/19/2022

Updated

8/28/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/bradleyfalzon/ghinstallation	go	< 2.0.0	2.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from error handling in the refreshToken method where fmt.Errorf was used with verbose request/response details. The pre-patch line (return fmt.Errorf("request %+v received non 2xx response status %q with body %+v and TLS %+v", ...)) included the HTTP request object containing the JWT in headers. The commit d24f14f specifically modified this error formatting to remove sensitive request details, confirming this function as the vulnerability source. The Transport.refreshToken function is directly responsible for handling authentication token refreshes and error reporting, making it the clear entry point for the sensitive data leak.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In **inst*ll*tion v*, w**n t** r*qu*st to r**r*s* *n inst*ll*tion tok*n **il**, t** *TTP r*qu*st *n* r*spons* woul* ** r*turn** *or ***u**in*. *ttps://*it*u*.*om/*r**l*y**lzon/**inst*ll*tion/*lo*/****************************************/

Reasoning

T** vuln*r**ility st*mm** *rom *rror **n*lin* in t** `r**r*s*Tok*n` m*t*o* w**r* `*mt.*rror*` w*s us** wit* v*r*os* r*qu*st/r*spons* **t*ils. T** pr*-p*t** lin* (r*turn `*mt.*rror*`("r*qu*st %+v r***iv** non *xx r*spons* st*tus %q wit* *o*y %+v *n* T

5

Basic Information

Concerned about an active attack path?

CVE-2022-39304: ghinstallation returns app JWT in error responses

Impact

Patches

References

For more information

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI