提出 #857924: django-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-598 Use of GET Request Method With Sensitive Query Strings情報

タイトルdjango-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-598 Use of GET Request Method With Sensitive Query Strings
説明django-tastypie 0.15.1 contains a conditional credential exposure issue in ApiKeyAuthentication. If Authorization header parsing fails, extract_credentials() falls back to reading username and api_key from request.GET or request.POST, and is_authenticated() accepts those values as API key credentials. Applications must use ApiKeyAuthentication and clients must pass credentials through query or form parameters for this to be exploitable. In that configuration, API keys can be captured in web server logs, reverse proxy logs, browser history, bookmarks, referrer headers, analytics tools, and shared URLs. An attacker who obtains those logs or URLs can replay the API key as the victim user. Remediation should remove GET/POST credential fallback or require explicit opt-in, and should prefer Authorization header authentication.
ソース⚠️ https://github.com/django-tastypie/django-tastypie/issues/1700
ユーザー
 Galaxyn (UID 98388)
送信2026年06月13日 12:55 (1 月 ago)
モデレーション2026年07月18日 10:27 (1 month later)
ステータス承諾済み
VulDBエントリ380023 [django-tastypie 迄 0.15.1 authentication.py ApiKeyAuthentication 情報漏えい]
ポイント20

Might our Artificial Intelligence support you?

Check our Alexa App!