Cleartext storage of sensitive information in EasyBuild - CVE-2020-5262
Published: March 26, 2020 / Updated: April 1, 2020
Vulnerability identifier: #VU26411
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-5262
CWE-ID: CWE-312
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: EasyBuild community
Affected software:
EasyBuild
EasyBuild
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to sensitive information on the target system.
The vulnerability exists due to the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. A remote authenticated attacker can obtain this token.
How to mitigate CVE-2020-5262
Install updates from vendor's website.