VDB
KO
HIGH 7.5

GHSA-rqjw-p5vr-c695

Basic-auth app bundle credential exposure in gatsby-source-wordpress

Details

### Impact The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected.

Example affected gatsby-config.js: ``` resolve: 'gatsby-source-wordpress', auth: { htaccess: { username: leaked_username password: leaked_password, }, }, ```

### Patches A patch has been introduced in gatsby-source-wordpress@4.0.8 and gatsby-source-wordpress@5.9.2 which mitigates the issue by filtering all variables specified in the `auth: { }` section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run `gatsby clean` followed by a `gatsby build`.

### Workarounds There is no known workaround at this time, other than manually editing the app.js file post-build.

### For more information Email us at [security@gatsbyjs.com](mailto:security@gatsbyjs.com)

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / gatsby-source-wordpress
Introduced in: 0 Fixed in: 4.0.8
Fix npm install gatsby-source-wordpress@4.0.8
npm / gatsby-source-wordpress
Introduced in: 5.0.0 Fixed in: 5.9.2
Fix npm install gatsby-source-wordpress@5.9.2

References