Описание
Potential leak of authentication data to 3rd parties
Impact
Users of typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties.
The flow of the vulnerability is as follows:
- Send any request with
BasicCredentialHandler,BearerCredentialHandlerorPersonalAccessTokenCredentialHandler - The target host may return a redirection (3xx), with a link to a second host.
- The next request will use the credentials to authenticate with the second host, by setting the
Authorizationheader.
The expected behavior is that the next request will NOT set the Authorization header.
Patches
The problem was fixed on April 1st 2020.
Workarounds
There is no workaround.
References
This is similar to the following issues in nature:
- HTTP authentication leak in redirects - I used the same solution as CURL did.
- CVE-2018-1000007.
Ссылки
- https://github.com/microsoft/typed-rest-client/security/advisories/GHSA-558p-m34m-vpmq
- https://nvd.nist.gov/vuln/detail/CVE-2023-30846
- https://github.com/microsoft/typed-rest-client/pull/207
- https://github.com/microsoft/typed-rest-client/commit/f9ff755631b982ee1303dfc3e3c823d0d31233e8
- https://security.netapp.com/advisory/ntap-20230601-0008
Пакеты
typed-rest-client
< 1.8.0
1.8.0
Связанные уязвимости
typed-rest-client is a library for Node Rest and Http Clients with typings for use with TypeScript. Users of the typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties. The flow of the vulnerability is as follows: First, send any request with `BasicCredentialHandler`, `BearerCredentialHandler` or `PersonalAccessTokenCredentialHandler`. Second, the target host may return a redirection (3xx), with a link to a second host. Third, the next request will use the credentials to authenticate with the second host, by setting the `Authorization` header. The expected behavior is that the next request will *NOT* set the `Authorization` header. The problem was fixed in version 1.8.0. There are no known workarounds.