Exposure of confidential secret or token Clojars deploy token

Description

The response body contains content that matches the pattern of a Clojars deploy token was detected. A deploy token is used in place of a password when deploying, and cannot be used to sign in. Tokens can be scoped to:

• Any artifact you have access to ("*")
• Any artifact in a group you have access to ("group-name/*")
• A particular artifact you have access to ("group-name/artifact-name") A malicious actor with access to this token can deploy malicious Clojure JARs by using this account.

Exposing this value could allow attackers to gain access to all resources granted by this token.

Remediation

For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.

To revoke a deploy token:

1. Visit https://clojars.org/tokens after logging in.

2. Under "Existing Deploy Tokens" find the token that was detected

3. Select "Disable token".

   [!note] It's not possible to re-enable the token after disabling it.

To create a new deploy token:

1. Visit https://clojars.org/tokens after logging in.
2. Fill out the Token name 1. Select the appropriate token scope
3. If the token is a single use, select the "Single use?" check box, otherwise leave blank
4. Set an expiration date (90 days is recommended)
5. Select "Create Token" For more information on tokens, please see Clojars website.

Details

ID	Aggregated	CWE	Type	Risk
798.20	false	798	Passive	High

Links

• CWE