You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Luc H (Jira)" <ji...@apache.org> on 2020/11/17 03:46:00 UTC

[jira] [Created] (AMBARI-25588) Use basic authentication over HTTP

Luc H created AMBARI-25588:
------------------------------

             Summary: Use basic authentication over HTTP
                 Key: AMBARI-25588
                 URL: https://issues.apache.org/jira/browse/AMBARI-25588
             Project: Ambari
          Issue Type: Bug
          Components: test
    Affects Versions: trnk
            Reporter: Luc H


Sensitive information like username and password shall not be sent over the cleartext HTTP channel. Basic authentication only obfuscates username/password in Base64 encoding, which can be easily recognized and reversed.

The class {{ambari-funtest/src/test/java/org/apache/ambari/funtest/server/AmbariHttpWebRequest.java}} sends username and password in basic authentication over an HTTP connection. Sending username and password using the HTTP protocol violates CWE-522 "Insufficiently Protected Credentials".

Although the vulnerable class is in the {{ambari-funtest}} package, as Ambari is a popular repository of Apache that is watched and used by many users and organizations, whose code could be extended and customized, the issue shall be resolved in my opinion.

Relevant PR is [#3210](https://github.com/apache/ambari/pull/3210).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)