제출 #857924: django-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-598 Use of GET Request Method With Sensitive Query Strings정보

제목django-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-598 Use of GET Request Method With Sensitive Query Strings
설명django-tastypie 0.15.1 contains a conditional credential exposure issue in ApiKeyAuthentication. If Authorization header parsing fails, extract_credentials() falls back to reading username and api_key from request.GET or request.POST, and is_authenticated() accepts those values as API key credentials. Applications must use ApiKeyAuthentication and clients must pass credentials through query or form parameters for this to be exploitable. In that configuration, API keys can be captured in web server logs, reverse proxy logs, browser history, bookmarks, referrer headers, analytics tools, and shared URLs. An attacker who obtains those logs or URLs can replay the API key as the victim user. Remediation should remove GET/POST credential fallback or require explicit opt-in, and should prefer Authorization header authentication.
원천⚠️ https://github.com/django-tastypie/django-tastypie/issues/1700
사용자
 Galaxyn (UID 98388)
제출2026. 06. 13. PM 12:55 (1 월 ago)
모더레이션2026. 07. 18. AM 10:27 (1 month later)
상태수락
VulDB 항목380023 [django-tastypie 까지 0.15.1 authentication.py ApiKeyAuthentication 정보 공개]
포인트들20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!