Home > Vulnerability Database > CVE-2016-10526

Mend.io Vulnerability Database

CVE-2016-10526

Good to know:

Date: May 31, 2018

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.

Language: JS

Severity Score

8.6

Related Resources (8)

Url: https://nodesecurity.io/advisories/85

Url: https://nvd.nist.gov/vuln/detail/CVE-2016-10526

Url: https://github.com/tschaub/grunt-gh-pages

Url: https://www.npmjs.com/advisories/85

Url: https://github.com/tschaub/grunt-gh-pages/pull/41

Url: https://github.com/tschaub/grunt-gh-pages/pull/41/commits/590f69767203d8c379fe18cded93bd5ad6cb53cb

Url: https://github.com/tschaub/grunt-gh-pages/commit/2d277e3e969ccd4c2d493f3795400fa77e6b6342

Url: https://www.mend.io/vulnerability-database/CVE-2016-10526

Severity Score

8.6

Weakness Type (CWE)

Credentials Management

CWE-255

Insertion of Sensitive Information into Log File

CWE-532

Unchecked Error Condition

CWE-391

Top Fix

Upgrade Version

Upgrade to version grunt-gh-pages - 0.10.0

Learn More

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2016-10526

Good to know:

Date: May 31, 2018

Language: JS

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?