Skip to content

[SECURITY] Storm Nimbus exposes Github personal token in Git remote URL #8188

Description

@reiabreu

Hello,

A colleague has recently brought to my attention that the Git remote URL used during the compilation and release of a new Storm version is made available on Storm Nimbus.
If you click on the Storm version in the the Nimbus UI, some information is presented. This includes the remote URL of the project used during the release.
If a Personal Authentication Token (PAT) was used in the process, it will be exposed as part of the remote URL
This has been happening in all the releases performed by me since a PAT has been my preferred authentication method.
Usually PATs generated by me are only valid for a week, so by the time the version is finally out it is no longer valid. But my last tokens were still valid and had to delete them.
A bad actor might have used them to perform write operations in Apache Storm on my behalf.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions