'Exposure of confidential secret or token Pulumi API token'
Description
The response body contains content that matches the pattern of a Pulumi API token was identified. Personal access tokens map to the permissions of a user. A malicious actor with access to this token can delete stacks, tags, updates, and webhooks as the owner of the access token. Exposing this value could allow attackers to gain access to all resources granted by this token.
Remediation
For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet. To revoke the API token:
- Sign in to your Pulumi account and access https://app.pulumi.com/
- In the top right corner, select the profile picture and select "Personal access tokens"
- Find the identified token and select the ellipsis in the "Actions" column of the key and select "Delete token"
- When prompted, select "Delete token" in the "Delete token" dialog
For more information, please see Pulumi's documentation on Personal access tokens.
Details
| ID | Aggregated | CWE | Type | Risk |
|---|---|---|---|---|
| 798.95 | false | 798 | Passive | High |