CVE-2024-28110Insufficiently Protected Credentials in Sdk-go

CWE-522Insufficiently Protected Credentials6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 66.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
Cloudevents Sdk-goGithub.com Cloudevents Sdk-go V2Cloudevents GO SDK+8 more
Timeline
PublishedMar 6
Latest updateMar 12

Description

Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages11 packages

CVEListV5cloudevents/sdk-go< 2.15.2
NVDcloudevents/go_sdk2.15.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Authentication token leak in github.com/cloudevents/sdk-go/v22024-03-11
GHSA
Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials2024-03-06
OSV
Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials2024-03-06

📋Vendor Advisories

2
Microsoft
Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials2024-03-12
Red Hat
cloudevents/sdk-go: usage of WithRoundTripper to create a Client leaks credentials2024-03-06