CVE-2024-6104Log File Information Exposure in Hashicorp Go-retryablehttp

CWE-532Log File Information Exposure9 documents7 sources
Severity
5.5MEDIUMNVD
CNA6.0
EPSS
0.0%
top 86.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Hashicorp Shared LibraryGithub.com Hashicorp Go-retryablehttpHashicorp Retryablehttp
Timeline
PublishedJun 24
Latest updateJun 25

Description

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5hashicorp/shared_library< 0.7.7

🔴Vulnerability Details

5
OSV
Leak of sensitive information to log files in github.com/hashicorp/go-retryablehttp2024-06-25
GHSA
go-retryablehttp can leak basic auth credentials to log files2024-06-24
OSV
CVE-2024-6104: go-retryablehttp prior to 02024-06-24
CVEList
go-retryablehttp can leak basic auth credentials to log files2024-06-24
OSV
go-retryablehttp can leak basic auth credentials to log files2024-06-24

📋Vendor Advisories

3
Red Hat
go-retryablehttp: url might write sensitive information to log file2024-06-24
Microsoft
go-retryablehttp can leak basic auth credentials to log files2024-06-11
Debian
CVE-2024-6104: golang-github-hashicorp-go-retryablehttp - go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its l...2024
CVE-2024-6104 — Log File Information Exposure | cvebase