CVE-2021-32770
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Gatsby is a framework for building websites. The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. A patch has been introduced in gatsby-source-wordpress@4.0.8 and gatsby-source-wordpress@5.9.2 which mitigates the issue by filtering all variables specified in the auth: { } section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run gatsby clean followed by a gatsby build. One may manually edit the app.js file post-build as a workaround.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| gatsbyjs | gatsby | < 4.0.8 | affected |
| gatsbyjs | gatsby | >= 5.0.0, < 5.9.2 | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.