GHSA-rqjw-p5vr-c695
Basic-auth app bundle credential exposure in gatsby-source-wordpress
Details
### Impact The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected.
Example affected gatsby-config.js: ``` resolve: 'gatsby-source-wordpress', auth: { htaccess: { username: leaked_username password: leaked_password, }, }, ```
### Patches A patch has been introduced in gatsby-source-wordpress@4.0.8 and gatsby-source-wordpress@5.9.2 which mitigates the issue by filtering all variables specified in the `auth: { }` section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run `gatsby clean` followed by a `gatsby build`.
### Workarounds There is no known workaround at this time, other than manually editing the app.js file post-build.
### For more information Email us at [security@gatsbyjs.com](mailto:security@gatsbyjs.com)
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 4.0.8 npm install gatsby-source-wordpress@4.0.8 5.0.0 Fixed in: 5.9.2 npm install gatsby-source-wordpress@5.9.2