CVE-2023-30846 (High) detected in typed-rest-client-1.5.0.tgz #94
Description
CVE-2023-30846 - High Severity Vulnerability
Vulnerable Library - typed-rest-client-1.5.0.tgz
Node Rest and Http Clients for use with TypeScript
Library home page: https://registry.npmjs.org/typed-rest-client/-/typed-rest-client-1.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/typed-rest-client/package.json
Dependency Hierarchy:
- @actions/tool-cache-0.0.0.tgz (Root Library)
- ❌ typed-rest-client-1.5.0.tgz (Vulnerable Library)
Found in HEAD commit: 940b9f1e77abd1eb330bad2b4b0dd70339e0ab2a
Found in base branch: auth-test
Vulnerability Details
typed-rest-client is a library for Node Rest and Http Clients with typings for use with TypeScript. Users of the typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties. The flow of the vulnerability is as follows: First, send any request with BasicCredentialHandler, BearerCredentialHandler or PersonalAccessTokenCredentialHandler. Second, the target host may return a redirection (3xx), with a link to a second host. Third, the next request will use the credentials to authenticate with the second host, by setting the Authorization header. The expected behavior is that the next request will NOT set the Authorization header. The problem was fixed in version 1.8.0. There are no known workarounds.
Publish Date: 2023-04-26
URL: CVE-2023-30846
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30846
Release Date: 2023-04-26
Fix Resolution: typed-rest-client - 1.8.0
Step up your Open Source Security Game with Mend here