R gh Package Authorization Header Exposure Vulnerability
Vulnerability
A vulnerability exists in the R 'gh' package, specifically in versions prior to 1.5.0, where the HTTP response includes the Authorization header from the corresponding request. This could lead to unintentional exposure of sensitive information, such as API keys, especially if the response is cached and later committed to a public repository.
Impact
This vulnerability could result in the unauthorized disclosure of sensitive information, including API keys, which could be exposed if response data is cached and then shared publicly.
Reproduction
In versions of the 'gh' package prior to 1.5.0, make a request to the GitHub API that includes an Authorization header, such as a request that uses a personal access token (PAT). The response will include the Authorization header, exposing the token. This can be verified by checking the response data for the presence of the Authorization header after making the request.
Remediation
Users can update to 'gh' package version 1.5.0 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.