Homepage
About Snyk

Information Disclosure Affecting easybuild-framework package, versions [,4.1.2)

0.0
high

Snyk CVSS

    Attack Complexity Low
    Confidentiality High

    Threat Intelligence

    EPSS 0.05% (19th percentile)
Expand this section
NVD
5.5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-EASYBUILDFRAMEWORK-560854
  • published 20 Mar 2020
  • disclosed 16 Mar 2020
  • credit Lars Viklund
Report a new vulnerability Found a mistake?

Introduced: 16 Mar 2020

CVE-2020-5262 Open this link in a new tab
CWE-200 Open this link in a new tab

How to fix?

Upgrade easybuild-framework to version 4.1.2 or higher.

Overview

easybuild-framework is a software build and installation framework that allows you to manage (scientific) software on High Performance Computing (HPC) systems in an efficient way.

Affected versions of this package are vulnerable to Information Disclosure. The GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like --new-pr, --from-pr, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the master+ develop branches of the easybuild-framework repository.