Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJxanctcDV2ci1jNjk1

Basic-auth app bundle credential exposure in gatsby-source-wordpress

Impact

The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected.

Example affected gatsby-config.js:

      resolve: 'gatsby-source-wordpress',
        auth: {
          htaccess: {
            username: leaked_username
            password: leaked_password,
          },
        },

Patches

A patch has been introduced in [email protected] and [email protected] which mitigates the issue by filtering all variables specified in the auth: { } section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run gatsby clean followed by a gatsby build.

Workarounds

There is no known workaround at this time, other than manually editing the app.js file post-build.

For more information

Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-rqjw-p5vr-c695
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJxanctcDV2ci1jNjk1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-rqjw-p5vr-c695, CVE-2021-32770
References:

Repository: https://github.com/gatsbyjs/gatsby
Blast Radius: 24.0

Affected Packages

npm:gatsby-source-wordpress

Dependent packages: 28
Dependent repositories: 1,585
Downloads: 64,307 last month
Affected Version Ranges: >= 5.0.0, < 5.9.2, < 4.0.8
Fixed in: 5.9.2, 4.0.8
All affected versions: 1.0.1, 1.1.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.25, 2.0.26, 2.0.27, 2.0.28, 2.0.29, 2.0.30, 2.0.31, 2.0.32, 2.0.33, 2.0.34, 2.0.35, 2.0.36, 2.0.37, 2.0.38, 2.0.39, 2.0.40, 2.0.41, 2.0.42, 2.0.43, 2.0.44, 2.0.45, 2.0.46, 2.0.47, 2.0.48, 2.0.49, 2.0.50, 2.0.51, 2.0.52, 2.0.53, 2.0.54, 2.0.55, 2.0.56, 2.0.57, 2.0.58, 2.0.59, 2.0.60, 2.0.61, 2.0.62, 2.0.63, 2.0.66, 2.0.67, 2.0.68, 2.0.69, 2.0.70, 2.0.71, 2.0.72, 2.0.73, 2.0.74, 2.0.75, 2.0.76, 2.0.77, 2.0.78, 2.0.79, 2.0.80, 2.0.81, 2.0.82, 2.0.83, 2.0.84, 2.0.85, 2.0.86, 2.0.87, 2.0.88, 2.0.89, 2.0.90, 2.0.91, 2.0.92, 2.0.93, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21, 3.0.22, 3.0.25, 3.0.27, 3.0.28, 3.0.29, 3.0.30, 3.0.31, 3.0.32, 3.0.33, 3.0.34, 3.0.35, 3.0.36, 3.0.37, 3.0.38, 3.0.39, 3.0.40, 3.0.41, 3.0.42, 3.0.43, 3.0.44, 3.0.45, 3.0.46, 3.0.47, 3.0.48, 3.0.49, 3.0.50, 3.0.51, 3.0.52, 3.0.53, 3.0.54, 3.0.55, 3.0.56, 3.0.57, 3.0.58, 3.0.59, 3.0.60, 3.0.61, 3.0.62, 3.0.63, 3.0.64, 3.0.65, 3.0.66, 3.0.67, 3.0.68, 3.0.69, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29, 3.1.30, 3.1.31, 3.1.32, 3.1.33, 3.1.34, 3.1.35, 3.1.36, 3.1.38, 3.1.39, 3.1.40, 3.1.41, 3.1.42, 3.1.43, 3.1.44, 3.1.45, 3.1.46, 3.1.47, 3.1.48, 3.1.49, 3.1.50, 3.1.51, 3.1.53, 3.1.54, 3.1.56, 3.1.57, 3.1.58, 3.1.59, 3.1.60, 3.1.61, 3.1.62, 3.1.63, 3.1.64, 3.1.65, 3.1.66, 3.1.67, 3.1.68, 3.1.69, 3.1.70, 3.1.71, 3.1.72, 3.1.73, 3.1.74, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.3.14, 3.3.15, 3.3.17, 3.3.18, 3.3.19, 3.3.20, 3.3.21, 3.3.22, 3.3.23, 3.3.24, 3.3.25, 3.3.26, 3.3.27, 3.3.28, 3.3.29, 3.3.30, 3.3.31, 3.3.32, 3.3.33, 3.3.34, 3.3.35, 3.3.36, 3.3.37, 3.3.38, 3.3.39, 3.3.40, 3.3.41, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.8.0, 3.8.1, 3.9.0, 3.9.1, 3.10.0, 3.11.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.5.0, 5.5.1, 5.6.0, 5.7.0, 5.7.1, 5.8.0, 5.9.0, 5.9.1
All unaffected versions: 4.0.8, 5.9.2, 5.10.0, 5.11.0, 5.12.0, 5.12.1, 5.13.0, 5.14.0, 5.14.1, 5.14.2, 5.15.0, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.5.1, 6.5.2, 6.6.0, 6.7.0, 6.8.0, 6.8.1, 6.8.2, 6.9.0, 6.9.1, 6.10.0, 6.10.1, 6.10.2, 6.11.0, 6.11.1, 6.11.2, 6.12.0, 6.12.1, 6.12.2, 6.13.0, 6.14.0, 6.14.1, 6.14.2, 6.14.3, 6.15.0, 6.15.1, 6.16.0, 6.16.1, 6.17.0, 6.18.0, 6.18.1, 6.19.0, 6.20.0, 6.21.0, 6.21.1, 6.22.0, 6.22.1, 6.23.0, 6.23.1, 6.24.0, 6.24.1, 6.24.2, 6.25.0, 6.25.1, 6.25.2, 6.25.3, 6.25.4, 6.25.5, 7.0.0, 7.1.0, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.3.0, 7.3.1, 7.3.2, 7.4.0, 7.4.1, 7.5.0, 7.6.0, 7.7.0, 7.8.0, 7.9.0, 7.10.0, 7.10.1, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.12.3, 7.13.0, 7.13.1, 7.13.2, 7.13.3, 7.13.4