[NPM:GHSA-36RH-GGPR-J3GJ] Renovate vulnerable to Azure DevOps token leakage in logs

Severity Moderate

Affected Packages 1

Fixed Packages 1

Impact

Applies to Azure DevOps users only. The bot's token may be exposed in server or pipeline logs due to the http.extraheader=AUTHORIZATION parameter being logged without redaction. It is recommended that Azure DevOps users revoke their existing bot credentials and generate new ones after upgrading if there's a potential that logs have been saved to a location that others can view.

Patches

Fixed in

Workarounds

Do not share Renovate logs with anyone who cannot be trusted with access to the token.

Package	Affected Version
pkg:npm/renovate	>= 19.180.0, < 23.25.1

Package	Fixed Version
pkg:npm/renovate	= 23.25.1

ID: NPM:GHSA-36RH-GGPR-J3GJ
Severity: moderate
URL: https://github.com/advisories/GHSA-36rh-ggpr-j3gj
Published: 2020-09-14T16:38:40
(4 years ago)
Modified: 2023-01-07T05:03:03
(20 months ago)
Rights: NPM Security Team

Source	# ID	Name	URL
			https://github.com/renovatebot/renovate/security/advisories/GHSA-36rh-ggpr-j3gj
			https://github.com/advisories/GHSA-36rh-ggpr-j3gj

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:npm/renovate		renovate	>= 19.180.0 < 23.25.1
Fixed	pkg:npm/renovate		renovate	= 23.25.1