GHSA-gc24-px2r-5qmf: Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication
- A hardcoded secret key used for signing JWTs is checked into source code
- ManyAPI routes do not check authentication
print("\n" + “=” * 70) print("\n[SUMMARY]\n")
print(f"Endpoints accessible WITHOUT authentication ({len(results[’no_auth’])}):") for ep in results[“no_auth”]: print(f" - {ep}")
print(f"\nEndpoints accessible with FORGED JWT only ({len(results[‘jwt_only’])}):") for ep in results[“jwt_only”]: print(f" - {ep}")
print(f"\nEndpoints that rejected both ({len(results[‘both_fail’])}):") for ep, no_auth, jwt_auth in results[“both_fail”]: print(f" - {ep} (no_auth: {no_auth}, jwt: {jwt_auth})")
if name == “main”: main()
</details>
<details>
<summary>Script output</summary>
References
Code Behaviors & Features
Detect and mitigate GHSA-gc24-px2r-5qmf with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →