जमा करें #857924: django-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-598 Use of GET Request Method With Sensitive Query Stringsजानकारी

शीर्षकdjango-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-598 Use of GET Request Method With Sensitive Query Strings
विवरणdjango-tastypie 0.15.1 contains a conditional credential exposure issue in ApiKeyAuthentication. If Authorization header parsing fails, extract_credentials() falls back to reading username and api_key from request.GET or request.POST, and is_authenticated() accepts those values as API key credentials. Applications must use ApiKeyAuthentication and clients must pass credentials through query or form parameters for this to be exploitable. In that configuration, API keys can be captured in web server logs, reverse proxy logs, browser history, bookmarks, referrer headers, analytics tools, and shared URLs. An attacker who obtains those logs or URLs can replay the API key as the victim user. Remediation should remove GET/POST credential fallback or require explicit opt-in, and should prefer Authorization header authentication.
स्रोत⚠️ https://github.com/django-tastypie/django-tastypie/issues/1700
उपयोगकर्ता
 Galaxyn (UID 98388)
सबमिशन13/06/2026 12:55 PM (1 महीना पहले)
संयम18/07/2026 10:27 AM (1 month later)
स्थितिस्वीकृत
VulDB प्रविष्टि380023 [django-tastypie तक 0.15.1 authentication.py ApiKeyAuthentication सूचना का प्रकटीकरण]
अंक20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!