CVE-2021-32770 Basic-auth app bundle credential exposure in gatsby-source-wordpress

2021-07-1518:30:11

CWE-200

GitHub_M

www.cve.org

cve-2021-32770

basic authentication

gatsby-source-wordpress

credential exposure

app.js bundle

gatsby-config.js

patch

gatsby clean

gatsby build.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

70.0%

JSON

Gatsby is a framework for building websites. The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. A patch has been introduced in [email protected] and [email protected] which mitigates the issue by filtering all variables specified in the auth: { } section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run gatsby clean followed by a gatsby build. One may manually edit the app.js file post-build as a workaround.

CNA Affected

[
  {
    "product": "gatsby",
    "vendor": "gatsbyjs",
    "versions": [
      {
        "status": "affected",
        "version": "< 4.0.8"
      },
      {
        "status": "affected",
        "version": ">= 5.0.0, < 5.9.2"
      }
    ]
  }
]