Authorized clients, having an inject_processor
secret, could brute-force the secret token value by abusing the fmt
parameter to the Proxy-Tokenizer
header.
This was fixed in https://github.com/superfly/tokenizer/pull/8 and further mitigated in https://github.com/superfly/tokenizer/pull/9.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/superfly/tokenizer | lt | 0.0.1 |