Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-25588

Use basic authentication over HTTP

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: trnk
    • Fix Version/s: None
    • Component/s: test
    • Labels:
      None

      Description

      Sensitive information like username and password shall not be sent over the cleartext HTTP channel. Basic authentication only obfuscates username/password in Base64 encoding, which can be easily recognized and reversed.

      The class ambari-funtest/src/test/java/org/apache/ambari/funtest/server/AmbariHttpWebRequest.java sends username and password in basic authentication over an HTTP connection. Sending username and password using the HTTP protocol violates CWE-522 "Insufficiently Protected Credentials".

      Although the vulnerable class is in the ambari-funtest package, as Ambari is a popular repository of Apache that is watched and used by many users and organizations, whose code could be extended and customized, the issue shall be resolved in my opinion.

      Relevant PR is 3210(https://github.com/apache/ambari/pull/3210).

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              luchua-bc Luc H
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: