logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-4vr3-9v7h-5f8v gw2sharp

Package

Manager: nuget
Name: gw2sharp
Vulnerable Version: >=0 <0.3.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Low severity vulnerability that affects Gw2Sharp ## Leaking cached authenticated requests ### Impact If you've been using one `MemoryCacheMethod` object in multiple instances of `Gw2WebApiClient` and are requesting authenticated endpoints with different access tokens, then you are likely to run into this bug. When using an instance of `MemoryCacheMethod` and using it with multiple instances of `Gw2WebApiClient`, there's a possibility that cached authenticated responses are leaking to another request to the same endpoint, but with a different Guild Wars 2 access token. The latter request wouldn't start however, and would return the first cached response immediately. This means that the second response (or later responses) may contain the same data as the first response, therefore leaking data from another authenticated endpoint. The occurence of this is limited however. The Guild Wars 2 API doesn't use the `Expires` header on most (if not all) authenticated endpoints. This header is checked when caching responses. If this header isn't available, the response isn't cached at all. You should still update to at least version 0.3.1 in order to be certain that it won't happen. ### Patches This bug has been fixed in version 0.3.1. When using an authenticated endpoint, it will prepend the SHA-1 hash of the access token to the cache id. ### Workarounds For version 0.3.0 and lower, you can use one separate instance of `MemoryCacheMethod` per `Gw2WebApiClient` if you need to use it. ### For more information If you have any questions or comments about this advisory, you can open an issue in [the Gw2Sharp repository](https://github.com/Archomeda/Gw2Sharp) or contact me on [Discord](https://discord.gg/hNcpDT3).

Metadata

Created: 2019-06-18T15:38:41Z
Modified: 2021-12-03T14:36:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-4vr3-9v7h-5f8v/GHSA-4vr3-9v7h-5f8v.json
CWE IDs: []
Alternative ID: N/A
Finding: F038
Auto approve: 1