CVE-2024-28110: Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials
Impact
What kind of vulnerability is it? Who is impacted? Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.
The relevant code is here (also inline, emphasis added):
When the transport is populated with an authenticated transport such as:
… then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact!
Found and patched by: @tcnghia and @mattmoor
Patches
v.2.15.2
References
- github.com/advisories/GHSA-5pf6-2qwx-pxm2
- github.com/cloudevents/sdk-go
- github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go
- github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
- github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2
- nvd.nist.gov/vuln/detail/CVE-2024-28110
Detect and mitigate CVE-2024-28110 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →