Bug 2268372 (CVE-2024-28110)

Summary: CVE-2024-28110 cloudevents/sdk-go: usage of WithRoundTripper to create a Client leaks credentials
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dhanak, dsimansk, kingland, kverlaen, matzew, mnovotny, pierdipi, rguimara, rhuss, sausingh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sdk-go 2.15.2 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in cloudevents/sdk-go. This issue involves using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper results in the go-sdk leaking credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport, causing it to send Authorization tokens to any endpoint it communicates with. This flaw allows an attacker to intercept and abuse these leaked credentials, potentially leading to unauthorized access to sensitive information or executing unauthorized actions on the affected system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2268381    

Description TEJ RATHI 2024-03-07 06:56:18 UTC 
Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.

https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110
https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2
Comment 2 errata-xmlrpc 2024-03-14 15:06:14 UTC 
This issue has been addressed in the following products:

  RHOSS-1.32-RHEL-8

Via RHSA-2024:1333 https://access.redhat.com/errata/RHSA-2024:1333
Comment 3 errata-xmlrpc 2024-06-27 10:52:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0040 https://access.redhat.com/errata/RHSA-2024:0040
Comment 4 errata-xmlrpc 2024-06-27 11:24:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041
Comment 5 errata-xmlrpc 2024-10-31 03:37:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:8425 https://access.redhat.com/errata/RHSA-2024:8425