CVE-2023-30846

Name of the Vulnerable Software and Affected Versions typed-rest-client versions 1.7.3 and earlier

Description The typed-rest-client library is vulnerable to leaking authentication data to third parties. This occurs when a request is sent with BasicCredentialHandler, BearerCredentialHandler, or PersonalAccessTokenCredentialHandler, and the target host returns a redirection with a link to a second host. The next request will then use the credentials to authenticate with the second host by setting the Authorization header, which is not the expected behavior. The problem was fixed in version 1.8.0.

Recommendations For typed-rest-client versions 1.7.3 and earlier, update to version 1.8.0 to resolve the issue. As a temporary workaround, consider disabling the use of BasicCredentialHandler, BearerCredentialHandler, and PersonalAccessTokenCredentialHandler until the update is applied. Restrict access to sensitive resources that may be exposed due to this vulnerability.