'Exposure of confidential secret or token Linear API token'
Description
The response body contains content that matches the pattern of a Linear API token was identified. Personal API tokens can be used to access Linear's GraphQL API. A malicious actor with access to this token can read or write issues, projects and teams to Linear and any systems the account has been integrated with. Exposing this value could allow attackers to gain access to all resources granted by this token.
Remediation
For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.
To revoke a Linear API token:
- Sign in to your account at https://linear.app/
- Select your organization in the top left corner and select "Preferences"
- In the left-hand menu, select "API" under "My Account"
- Find the identified API key in the "Personal API Keys" section of the page
- Select "Revoke" next to the identified key
- When prompted, select "Revoke" in the "Revoke access?" dialog
For more information, please see Linear's documentation on using personal API keys.
Details
| ID | Aggregated | CWE | Type | Risk |
|---|---|---|---|---|
| 798.66 | false | 798 | Passive | High |