GMS-2020-460: Azure DevOps token leakage in logs

September 14, 2020

Impact

Applies to Azure DevOps users only. The bot’s token may be exposed in server or pipeline logs due to the http.extraheader=AUTHORIZATION parameter being logged without redaction. It is recommended that Azure DevOps users revoke their existing bot credentials and generate new ones after upgrading if there’s a potential that logs have been saved to a location that others can view.

Patches

Fixed

Workarounds

Do not share Renovate logs with anyone who cannot be trusted with access to the token.

For more information

If you have any questions or comments about this advisory:

Email us at security@renovatebot.com

References

github.com/advisories/GHSA-36rh-ggpr-j3gj
github.com/renovatebot/renovate/security/advisories/GHSA-36rh-ggpr-j3gj

Detect and mitigate GMS-2020-460 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →