CVE-2023-30846

Published: Apr 26, 2023

Modified: Feb 13, 2025

PUBLISHED

CVSS v3.1

9.1

CRITICAL

Description

typed-rest-client is a library for Node Rest and Http Clients with typings for use with TypeScript. Users of the typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties. The flow of the vulnerability is as follows: First, send any request with `BasicCredentialHandler`, `BearerCredentialHandler` or `PersonalAccessTokenCredentialHandler`. Second, the target host may return a redirection (3xx), with a link to a second host. Third, the next request will use the credentials to authenticate with the second host, by setting the `Authorization` header. The expected behavior is that the next request will *NOT* set the `Authorization` header. The problem was fixed in version 1.8.0. There are no known workarounds.

Vendor	Product	Versions
microsoft	typed-rest-client	affected `< 1.8.0`

Weaknesses (CWE)

CWE-522

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/microsoft/typed-rest-client/security/advisories/GHSA-558p-m34m-vpmq

x_refsource_CONFIRM

https://github.com/microsoft/typed-rest-client/commit/f9ff755631b982ee1303dfc3e3c823d0d31233e8

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20230601-0008/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-30846

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References