CVE-2024-6104
published 2024-06-24CVE-2024-6104: go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth…
PriorityP424medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.36%
27.8th percentile
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-hashicorp-go-retryablehttp | — | — |
| github.com | hashicorp_go-retryablehttp | >= 0 < 0.7.7 | 0.7.7 |
| hashicorp | retryablehttp | < 0.7.7 | 0.7.7 |
| hashicorp | shared_library | < 0.7.7 | 0.7.7 |
| msrc | azl3_cert-manager_1.12.12-3 | — | — |
| msrc | azl3_influxdb_2.7.3-5 | — | — |
| msrc | azl3_influxdb_2.7.5-5 | — | — |
| msrc | azl3_keda_2.14.0-2 | — | — |
| msrc | azl3_keda_2.14.1-7 | — | — |
| msrc | azl3_libcontainers-common_20240213-2 | — | — |
| msrc | azl3_libcontainers-common_20240213-3 | — | — |
| msrc | azl3_packer_1.9.5-2 | — | — |
| msrc | azl3_packer_1.9.5-9 | — | — |
| msrc | azl3_prometheus_2.45.4-12 | — | — |
| msrc | azl3_prometheus_2.45.4-3 | — | — |
| msrc | azl3_skopeo_1.14.4-2 | — | — |
| msrc | azl3_skopeo_1.14.4-5 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_cert-manager_1.11.2-12 | — | — |
| msrc | cbl2_cert-manager_1.11.2-22 | — | — |
| msrc | cbl2_cri-o_1.22.3-14 | — | — |
| msrc | cbl2_cri-o_1.22.3-6 | — | — |
| msrc | cbl2_influxdb_2.6.1-15 | — | — |
| msrc | cbl2_influxdb_2.6.1-22 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ghsa5.5MEDIUM
osv5.5MEDIUM
vendor_debian6.0MEDIUM
vendor_redhat6.0MEDIUM
vendor_msrc5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Leak of sensitive information to log files in github.com/hashicorp/go-retryablehttp
osv·2024-06-25
CVE-2024-6104 Leak of sensitive information to log files in github.com/hashicorp/go-retryablehttp
Leak of sensitive information to log files in github.com/hashicorp/go-retryablehttp
URLs were not sanitized when writing them to log files. This could lead to writing sensitive HTTP basic auth credentials to the log file.
GHSA
go-retryablehttp can leak basic auth credentials to log files
ghsa·2024-06-24·CVSS 5.5
CVE-2024-6104 [MEDIUM] CWE-532 go-retryablehttp can leak basic auth credentials to log files
go-retryablehttp can leak basic auth credentials to log files
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
OSV
CVE-2024-6104: go-retryablehttp prior to 0
osv·2024-06-24·CVSS 5.5
CVE-2024-6104 [MEDIUM] CVE-2024-6104: go-retryablehttp prior to 0
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
OSV
go-retryablehttp can leak basic auth credentials to log files
osv·2024-06-24·CVSS 5.5
CVE-2024-6104 [MEDIUM] go-retryablehttp can leak basic auth credentials to log files
go-retryablehttp can leak basic auth credentials to log files
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
Red Hat
go-retryablehttp: url might write sensitive information to log file
vendor_redhat·2024-06-24·CVSS 6.0
CVE-2024-6104 [MEDIUM] CWE-532 go-retryablehttp: url might write sensitive information to log file
go-retryablehttp: url might write sensitive information to log file
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
A vulnerability was found in go-retryablehttp. The package may suffer from a lack of input sanitization by not cleaning up URL data when writing to the logs. This issue could expose sensitive authentication information.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Pa
Microsoft
go-retryablehttp can leak basic auth credentials to log files
vendor_msrc·2024-06-11·CVSS 5.5
CVE-2024-6104 [MEDIUM] CWE-532 go-retryablehttp can leak basic auth credentials to log files
go-retryablehttp can leak basic auth credentials to log files
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
HashiCorp: HashiCorp
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference:
Debian
CVE-2024-6104: golang-github-hashicorp-go-retryablehttp - go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its l...
vendor_debian·2024·CVSS 6.0
CVE-2024-6104 [MEDIUM] CVE-2024-6104: golang-github-hashicorp-go-retryablehttp - go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its l...
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
2024-06-24
Published