9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-30846

CVE-2023-30846: Potential leak of authentication data to 3rd parties

Impact

Users of typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties.

The flow of the vulnerability is as follows:

Send any request with BasicCredentialHandler, BearerCredentialHandler or PersonalAccessTokenCredentialHandler
The target host may return a redirection (3xx), with a link to a second host.
The next request will use the credentials to authenticate with the second host, by setting the Authorization header.

The expected behavior is that the next request will NOT set the Authorization header.

Patches

The problem was fixed on April 1st 2020.

Workarounds

There is no workaround.

References

This is similar to the following issues in nature:

HTTP authentication leak in redirects - I used the same solution as CURL did.
CVE-2018-1000007.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-30846

CVE-2023-30846:

9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typed-rest-client	npm	< 1.8.0	1.8.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the prepareRequest methods in credential handlers not validating request origin before setting Authorization headers. The commit diff shows all three handlers were modified to add origin tracking and conditional header injection. Pre-patch versions lacked the 'origin === options.host' check and 'allowCrossOriginAuthentication' guard, making them automatically forward credentials to any host during redirects. The added unit tests confirm the vulnerability by verifying Authorization headers are suppressed after redirects.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-30846: Potential leak of authentication data to 3rd parties

Impact

Patches

Workarounds

References

CVE-2023-30846:

9.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

9.1

9.1

CVE-2023-30846: Potential leak of authentication data to 3rd parties

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI