PT-2026-32131 · Pypi · Openssl-Encrypt
Publicado
2026-04-01
·
Atualizado
2026-04-01
CVSS v4.0
6.6
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |
Summary
Refresh tokens are accepted as URL query parameters in the keyserver and telemetry server routes.
Affected Code
python
# openssl encrypt server/modules/keyserver/routes.py:214-215
# openssl encrypt server/modules/telemetry/routes.py:90-91
async def refresh token(
request: Request,
refresh token: str = Query(..., description="Refresh token")
):Impact
Tokens in URL query parameters are exposed in:
- Server access logs
- Proxy/CDN logs
- Browser history
- HTTP Referer headers
- Network monitoring tools
This creates significant token leakage risk.
Recommended Fix
- Accept refresh tokens in the request body (POST) instead of query parameters
- Use
Body(...)instead ofQuery(...)
Fix
Fixed in commit
4b2adb0 on branch releases/1.4.x — moved refresh token from Query parameter to POST body via RefreshRequest Pydantic model.Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openssl-Encrypt