Vulnerability Report: GO-2024-2618

CVE-2024-28110, GHSA-5pf6-2qwx-pxm2
Affects: github.com/cloudevents/sdk-go/v2
Published: Mar 11, 2024

Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact.

For detailed information about this vulnerability, visit https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2.

Affected Packages

Path

Versions

Symbols
github.com/cloudevents/sdk-go/v2/protocol/http

before v2.15.2
- New

Aliases

CVE-2024-28110
GHSA-5pf6-2qwx-pxm2

References

https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2
https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110
https://vuln.go.dev/ID/GO-2024-2618.json

Credits

mattmoortcnghia

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL