Information Disclosure

Affecting easybuild-framework package, versions [,4.1.2)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

easybuild-framework is a software build and installation framework that allows you to manage (scientific) software on High Performance Computing (HPC) systems in an efficient way.

Affected versions of this package are vulnerable to Information Disclosure. The GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like --new-pr, --from-pr, etc.) is shown in plain text in EasyBuild debug log files. This issue is fixed in EasyBuild v4.1.2, and in the master+ develop branches of the easybuild-framework repository.

Remediation

Upgrade easybuild-framework to version 4.1.2 or higher.

References

CVSS Score

7.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Credit
Lars Viklund
CVE
CVE-2020-5262
CWE
CWE-200
Snyk ID
SNYK-PYTHON-EASYBUILDFRAMEWORK-560854
Disclosed
16 Mar, 2020
Published
20 Mar, 2020