Bug 2254872 (CVE-2023-50728) - CVE-2023-50728 octopost/webhooks: uncaught exception
Summary: CVE-2023-50728 octopost/webhooks: uncaught exception
Keywords:
Status: NEW
Alias: CVE-2023-50728
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2254877
TreeView+ depends on / blocked
 
Reported: 2023-12-17 10:57 UTC by ybuenos
Modified: 2024-03-14 08:48 UTC (History)
5 users (show)

Fixed In Version: octokit/webhooks 9.26.3, octokit/webhooks 10.9.2, octokit/webhooks 11.1.2, octokit/webhooks 12.0.4
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description ybuenos 2023-12-17 10:57:46 UTC 
octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process.  The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3.

https://github.com/octokit/app.js/releases/tag/v14.0.2
https://github.com/octokit/octokit.js/releases/tag/v3.1.2
https://github.com/octokit/webhooks.js/releases/tag/v10.9.2
https://github.com/octokit/webhooks.js/releases/tag/v11.1.2
https://github.com/octokit/webhooks.js/releases/tag/v12.0.4
https://github.com/octokit/webhooks.js/releases/tag/v9.26.3
https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv
https://github.com/probot/probot/releases/tag/v12.3.3
Note You need to log in before you can comment on or make changes to this bug.