Skip to content

Azure DevOps token leakage in logs

Moderate
rarkins published GHSA-36rh-ggpr-j3gj Sep 12, 2020

Package

npm renovate (npm)

Affected versions

>=19.180.0 <23.25.1

Patched versions

23.25.1

Description

Impact

Applies to Azure DevOps users only. The bot's token may be exposed in server or pipeline logs due to the http.extraheader=AUTHORIZATION parameter being logged without redaction. It is recommended that Azure DevOps users revoke their existing bot credentials and generate new ones after upgrading if there's a potential that logs have been saved to a location that others can view.

Patches

Fixed in

Workarounds

Do not share Renovate logs with anyone who cannot be trusted with access to the token.

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs

Credits