ContextQMD
Back to Gitlabhq

Exposure of confidential secret or token CircleCI access token

doc/user/application_security/dast/browser/checks/798.131.md

18.11.21.7 KB
Original Source

Description

The response body contains content that matches the pattern of a CircleCI project token was identified. CircleCI project tokens can be given one of three scopes: - Status - Read Only - Admin Depending on the access level of this detected token, a malicious actor with access to this token may be able to gain full access to the project and CI/CD pipelines. Exposing this value could allow attackers to gain access to all resources granted by this token.

Remediation

For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.

To rotate a project token:

  • In the CircleCI application select Projects in the sidebar, then the ellipsis (...) next to your project, and select "Project Settings".
  • Select API Permissions.
  • Select the "X" in the Remove column for the token you wish to replace. When the confirmation window appears, enter the text DELETE in the form and then select "Delete API Token".
  • Select "Create API Token".
  • Choose the same scope used for the old token from the dropdown list.
  • In the Label field, type a label for the token. It can be the same name given to the old token.
  • Select "Add API Token".

For more information please see their documentation on rotating project tokens.

Details

IDAggregatedCWETypeRisk
798.131false798PassiveHigh