CVE-2021-32770 : What You Need to Know

A vulnerability in the gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 could lead to the exposure of sensitive information. Users are advised to take immediate action to secure their websites.

Understanding CVE-2021-32770

This CVE relates to a security issue in the Gatsby framework's wordpress plugin, potentially leaking .htaccess HTTP Basic Authentication credentials during build-time.

What is CVE-2021-32770?

Gatsby's wordpress plugin, before versions 4.0.8 and 5.9.2, exposes sensitive .htaccess HTTP Basic Authentication variables during the build process. Users not setting basic authentication credentials in gatsby-config.js may be impacted.

The Impact of CVE-2021-32770

The vulnerability, with a CVSSv3 base score of 7.5 (High Severity), could lead to unauthorized access to confidential information.

Technical Details of CVE-2021-32770

The details of the vulnerability include:

Vulnerability Description

The gatsby-source-wordpress plugin in versions prior to 4.0.8 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time.

Affected Systems and Versions

Affected versions include < 4.0.8 and >= 5.0.0, < 5.9.2 of the gatsby-source-wordpress plugin.

Exploitation Mechanism

Attackers can potentially exploit this vulnerability to access sensitive information due to the leakage of authentication variables.

Mitigation and Prevention

To address this vulnerability, users should take the following steps:

Immediate Steps to Take:

Upgrade to the latest release of gatsby-source-wordpress.
Run

gatsby clean

followed by a

gatsby build

.

Long-Term Security Practices

Ensure basic authentication credentials are correctly initialized in the gatsby-config.js file.

Patching and Updates

Apply the patches available in gatsby-source-wordpress versions 4.0.8 and 5.9.2 to mitigate the issue.