Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Octo-STS Vulnerable to Unauthenticated SSRF with HTTP Response Reflection in OIDC Flow
Vulnerability Description
Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. Upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
octo-sts 代码问题漏洞
Vulnerability Description
octo-sts是octo-sts开源的一个 Chainguard 的 GitHub 安全令牌服务。 octo-sts v0.5.3之前版本存在代码问题漏洞,该漏洞源于未经验证的服务端请求伪造漏洞。
CVSS Information
N/A
Vulnerability Type
N/A