Headline
CVE-2021-32770: Basic-auth app bundle credential exposure in gatsby-source-wordpress
Gatsby is a framework for building websites. The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. A patch has been introduced in [email protected] and [email protected] which mitigates the issue by filtering all variables specified in the auth: { } section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run gatsby clean followed by a gatsby build. One may manually edit the app.js file post-build as a workaround.
Package
npm gatsby-source-wordpress (npm)
Affected versions
<4.0.8; <5.9.2
Patched versions
4.0.8; 5.9.2
Impact
The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected.
Example affected gatsby-config.js:
resolve: 'gatsby-source-wordpress',
auth: {
htaccess: {
username: leaked_username
password: leaked_password,
},
},
Patches
A patch has been introduced in [email protected] and [email protected] which mitigates the issue by filtering all variables specified in the auth: { } section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run gatsby clean followed by a gatsby build.
Workarounds
There is no known workaround at this time, other than manually editing the app.js file post-build.
For more information
Email us at [email protected]