You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Luc H (Jira)" <ji...@apache.org> on 2020/11/17 03:46:00 UTC
[jira] [Created] (AMBARI-25588) Use basic authentication over HTTP
Luc H created AMBARI-25588:
------------------------------
Summary: Use basic authentication over HTTP
Key: AMBARI-25588
URL: https://issues.apache.org/jira/browse/AMBARI-25588
Project: Ambari
Issue Type: Bug
Components: test
Affects Versions: trnk
Reporter: Luc H
Sensitive information like username and password shall not be sent over the cleartext HTTP channel. Basic authentication only obfuscates username/password in Base64 encoding, which can be easily recognized and reversed.
The class {{ambari-funtest/src/test/java/org/apache/ambari/funtest/server/AmbariHttpWebRequest.java}} sends username and password in basic authentication over an HTTP connection. Sending username and password using the HTTP protocol violates CWE-522 "Insufficiently Protected Credentials".
Although the vulnerable class is in the {{ambari-funtest}} package, as Ambari is a popular repository of Apache that is watched and used by many users and organizations, whose code could be extended and customized, the issue shall be resolved in my opinion.
Relevant PR is [#3210](https://github.com/apache/ambari/pull/3210).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)