CVE-2023-50728 — MEDIUM (5.4)

Q: How severe is CVE-2023-50728?

CVE-2023-50728 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-50728?

Check the references section above for vendor advisories and patch information. Affected products include: Octokit App, Octokit Octokit, Octokit Webhooks, Probot Probot.

Vulnerability Description

octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process. The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Octokit	App	14.0.1
Octokit	Octokit	< 3.1.2
Octokit	Webhooks	< 9.26.3
Probot	Probot	< 12.3.3

Related Weaknesses (CWE)

CWE-755

References

https://github.com/octokit/app.js/releases/tag/v14.0.2Release Notes
https://github.com/octokit/octokit.js/releases/tag/v3.1.2Release Notes
https://github.com/octokit/webhooks.js/releases/tag/v10.9.2Release Notes
https://github.com/octokit/webhooks.js/releases/tag/v11.1.2Release Notes
https://github.com/octokit/webhooks.js/releases/tag/v12.0.4Release Notes
https://github.com/octokit/webhooks.js/releases/tag/v9.26.3Release Notes
https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qvVendor Advisory
https://github.com/probot/probot/releases/tag/v12.3.3Release Notes
https://github.com/octokit/app.js/releases/tag/v14.0.2Release Notes
https://github.com/octokit/octokit.js/releases/tag/v3.1.2Release Notes
https://github.com/octokit/webhooks.js/releases/tag/v10.9.2Release Notes
https://github.com/octokit/webhooks.js/releases/tag/v11.1.2Release Notes
https://github.com/octokit/webhooks.js/releases/tag/v12.0.4Release Notes
https://github.com/octokit/webhooks.js/releases/tag/v9.26.3Release Notes
https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qvVendor Advisory

FAQ

What is CVE-2023-50728?

CVE-2023-50728 is a vulnerability with a CVSS score of 5.4 (MEDIUM). octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @o...

How severe is CVE-2023-50728?

CVE-2023-50728 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-50728?

Check the references section above for vendor advisories and patch information. Affected products include: Octokit App, Octokit Octokit, Octokit Webhooks, Probot Probot.