Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR2cjMtOXY3aC01Zjh2
Low severity vulnerability that affects Gw2Sharp
Leaking cached authenticated requests
Impact
If you've been using one MemoryCacheMethod
object in multiple instances of Gw2WebApiClient
and are requesting authenticated endpoints with different access tokens, then you are likely to run into this bug.
When using an instance of MemoryCacheMethod
and using it with multiple instances of Gw2WebApiClient
, there's a possibility that cached authenticated responses are leaking to another request to the same endpoint, but with a different Guild Wars 2 access token. The latter request wouldn't start however, and would return the first cached response immediately. This means that the second response (or later responses) may contain the same data as the first response, therefore leaking data from another authenticated endpoint.
The occurence of this is limited however. The Guild Wars 2 API doesn't use the Expires
header on most (if not all) authenticated endpoints. This header is checked when caching responses. If this header isn't available, the response isn't cached at all. You should still update to at least version 0.3.1 in order to be certain that it won't happen.
Patches
This bug has been fixed in version 0.3.1. When using an authenticated endpoint, it will prepend the SHA-1 hash of the access token to the cache id.
Workarounds
For version 0.3.0 and lower, you can use one separate instance of MemoryCacheMethod
per Gw2WebApiClient
if you need to use it.
For more information
If you have any questions or comments about this advisory, you can open an issue in the Gw2Sharp repository or contact me on Discord.
Permalink: https://github.com/advisories/GHSA-4vr3-9v7h-5f8vJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR2cjMtOXY3aC01Zjh2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
Identifiers: GHSA-4vr3-9v7h-5f8v
References:
- https://github.com/Archomeda/Gw2Sharp/security/advisories/GHSA-4vr3-9v7h-5f8v
- https://github.com/advisories/GHSA-4vr3-9v7h-5f8v
Blast Radius: 1.0
Affected Packages
nuget:Gw2Sharp
Dependent packages: 1Dependent repositories: 0
Downloads: 88,644 total
Affected Version Ranges: < 0.3.1
Fixed in: 0.3.1
All affected versions: 0.1.0, 0.2.0, 0.3.0
All unaffected versions: 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4