Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials
Impact What kind of vulnerability is it? Who is impacted? Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. The relevant code is here (also inline, emphasis added): When the transport is populated with an authenticated transport such as: oauth2.Transport idtoken.NewClient(…).Transport … then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint …