In ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging.
https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174
The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum).
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: * Open an issue in ghinstallation
{ "nvd_published_at": "2022-12-20T20:15:00Z", "cwe_ids": [ "CWE-209" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-19T22:48:32Z" }