VDB
EN
HIGH 7.5

GHSA-rqjw-p5vr-c695

Basic-auth app bundle credential exposure in gatsby-source-wordpress

상세

### Impact The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected.

Example affected gatsby-config.js: ``` resolve: 'gatsby-source-wordpress', auth: { htaccess: { username: leaked_username password: leaked_password, }, }, ```

### Patches A patch has been introduced in gatsby-source-wordpress@4.0.8 and gatsby-source-wordpress@5.9.2 which mitigates the issue by filtering all variables specified in the `auth: { }` section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run `gatsby clean` followed by a `gatsby build`.

### Workarounds There is no known workaround at this time, other than manually editing the app.js file post-build.

### For more information Email us at [security@gatsbyjs.com](mailto:security@gatsbyjs.com)

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / gatsby-source-wordpress
최초 영향 버전: 0 수정 버전: 4.0.8
수정 npm install gatsby-source-wordpress@4.0.8
npm / gatsby-source-wordpress
최초 영향 버전: 5.0.0 수정 버전: 5.9.2
수정 npm install gatsby-source-wordpress@5.9.2

참고