Bug 2294000 (CVE-2024-6104)

Summary: CVE-2024-6104 go-retryablehttp: url might write sensitive information to log file
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agarcial, ahrabovs, alcohan, amctagga, anjoseph, aoconnor, asegurap, aucunnin, bniver, caswilli, crizzo, dfreiber, dhanak, drosa, drow, dsimansk, dymurray, eglynn, flucifre, gkamathe, gmeno, gparvin, jburrell, jcantril, jforrest, jjoyce, jkoehler, jmatthew, jprabhak, jschluet, kaycoth, kingland, kshier, kverlaen, lbainbri, lchilton, lhh, lphiri, lsvaty, luizcosta, manissin, matzew, mbenjamin, mburns, mgarciac, mhackett, mnovotny, mrajanna, mstoklus, muagarwa, mwringe, nbecker, njean, nweather, odf-bz-bot, owatkins, pahickey, pgrist, pierdipi, rgarg, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rojacob, sapillai, sausingh, sdawley, sfeifer, sipoyare, sostapov, stcannon, tnielsen, tsweeney, vereddy, vkumar, whayutin, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go-retryablehttp 0.7.7 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in go-retryablehttp. The package may suffer from a lack of input sanitization by not cleaning up URL data when writing to the logs. This issue could expose sensitive authentication information.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2294001, 2350492, 2294002, 2294003, 2294004, 2294005, 2294006, 2294007, 2294008, 2294009, 2294010, 2294011, 2294012, 2294013, 2294014, 2294110, 2294111, 2294112, 2294113, 2294114, 2294115, 2294116, 2294117, 2294118, 2296267, 2296270, 2309720, 2350489, 2350490    
Bug Blocks: 2293999    

Description Patrick Del Bello 2024-06-24 21:41:33 UTC 
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

https://discuss.hashicorp.com/c/security
Comment 1 Patrick Del Bello 2024-06-24 21:54:02 UTC 
Created doctl tracking bugs for this issue:

Affects: fedora-all [bug 2294002]


Created golang-github-acme-lego tracking bugs for this issue:

Affects: fedora-all [bug 2294003]


Created golang-github-hashicorp-retryablehttp tracking bugs for this issue:

Affects: fedora-all [bug 2294004]


Created golang-github-moby-buildkit tracking bugs for this issue:

Affects: fedora-all [bug 2294005]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2294006]


Created opentofu tracking bugs for this issue:

Affects: fedora-all [bug 2294007]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2294008]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2294009]


Created skopeo tracking bugs for this issue:

Affects: fedora-all [bug 2294010]


Created stargz-snapshotter tracking bugs for this issue:

Affects: fedora-all [bug 2294011]


Created trivy tracking bugs for this issue:

Affects: fedora-all [bug 2294012]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2294013]


Created vultr-cli tracking bugs for this issue:

Affects: fedora-all [bug 2294014]
Comment 10 errata-xmlrpc 2024-07-09 10:50:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4316 https://access.redhat.com/errata/RHSA-2024:4316
Comment 11 errata-xmlrpc 2024-07-10 11:23:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4321 https://access.redhat.com/errata/RHSA-2024:4321
Comment 15 errata-xmlrpc 2024-07-17 00:38:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4479 https://access.redhat.com/errata/RHSA-2024:4479
Comment 17 errata-xmlrpc 2024-07-24 18:53:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4613 https://access.redhat.com/errata/RHSA-2024:4613
Comment 18 errata-xmlrpc 2024-07-25 14:16:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4699 https://access.redhat.com/errata/RHSA-2024:4699
Comment 19 errata-xmlrpc 2024-07-25 14:44:26 UTC 
This issue has been addressed in the following products:

  RHOSS-1.33-RHEL-8

Via RHSA-2024:4872 https://access.redhat.com/errata/RHSA-2024:4872
Comment 20 errata-xmlrpc 2024-07-31 00:43:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4853 https://access.redhat.com/errata/RHSA-2024:4853
Comment 21 errata-xmlrpc 2024-07-31 13:17:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4858 https://access.redhat.com/errata/RHSA-2024:4858
Comment 22 errata-xmlrpc 2024-07-31 14:32:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:4846 https://access.redhat.com/errata/RHSA-2024:4846
Comment 23 errata-xmlrpc 2024-07-31 14:45:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:4848 https://access.redhat.com/errata/RHSA-2024:4848
Comment 24 errata-xmlrpc 2024-08-06 11:28:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4965 https://access.redhat.com/errata/RHSA-2024:4965
Comment 25 errata-xmlrpc 2024-08-07 10:52:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4960 https://access.redhat.com/errata/RHSA-2024:4960
Comment 26 errata-xmlrpc 2024-08-07 13:31:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4963 https://access.redhat.com/errata/RHSA-2024:4963
Comment 27 errata-xmlrpc 2024-08-12 01:26:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:5194 https://access.redhat.com/errata/RHSA-2024:5194
Comment 29 errata-xmlrpc 2024-08-13 00:38:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5258 https://access.redhat.com/errata/RHSA-2024:5258
Comment 30 errata-xmlrpc 2024-08-13 09:55:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:5107 https://access.redhat.com/errata/RHSA-2024:5107
Comment 31 errata-xmlrpc 2024-08-15 14:24:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:5160 https://access.redhat.com/errata/RHSA-2024:5160
Comment 32 errata-xmlrpc 2024-08-19 01:02:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:5199 https://access.redhat.com/errata/RHSA-2024:5199
Comment 33 errata-xmlrpc 2024-08-19 05:40:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:5200 https://access.redhat.com/errata/RHSA-2024:5200
Comment 34 errata-xmlrpc 2024-08-19 07:42:26 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:5547 https://access.redhat.com/errata/RHSA-2024:5547
Comment 35 errata-xmlrpc 2024-08-20 16:07:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:5634 https://access.redhat.com/errata/RHSA-2024:5634
Comment 36 errata-xmlrpc 2024-08-22 11:42:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433
Comment 37 errata-xmlrpc 2024-08-22 11:43:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:5444 https://access.redhat.com/errata/RHSA-2024:5444
Comment 38 errata-xmlrpc 2024-08-22 12:14:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:5446 https://access.redhat.com/errata/RHSA-2024:5446
Comment 39 errata-xmlrpc 2024-08-29 03:07:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:5808 https://access.redhat.com/errata/RHSA-2024:5808
Comment 40 errata-xmlrpc 2024-08-29 18:30:54 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:6054 https://access.redhat.com/errata/RHSA-2024:6054
Comment 41 errata-xmlrpc 2024-09-03 19:14:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:6004 https://access.redhat.com/errata/RHSA-2024:6004
Comment 42 errata-xmlrpc 2024-09-03 19:54:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6194 https://access.redhat.com/errata/RHSA-2024:6194
Comment 43 errata-xmlrpc 2024-09-04 07:57:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6009 https://access.redhat.com/errata/RHSA-2024:6009
Comment 44 errata-xmlrpc 2024-09-11 13:42:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:6409 https://access.redhat.com/errata/RHSA-2024:6409
Comment 45 errata-xmlrpc 2024-09-11 18:34:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:6406 https://access.redhat.com/errata/RHSA-2024:6406
Comment 46 errata-xmlrpc 2024-09-17 19:47:42 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.5 for RHEL 8
  multicluster engine for Kubernetes 2.5 for RHEL 9

Via RHSA-2024:6738 https://access.redhat.com/errata/RHSA-2024:6738
Comment 47 errata-xmlrpc 2024-09-18 03:07:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:6642 https://access.redhat.com/errata/RHSA-2024:6642
Comment 48 errata-xmlrpc 2024-09-18 11:58:19 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755
Comment 49 errata-xmlrpc 2024-09-25 01:07:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6811 https://access.redhat.com/errata/RHSA-2024:6811
Comment 51 errata-xmlrpc 2024-10-01 08:41:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:3722 https://access.redhat.com/errata/RHSA-2024:3722
Comment 52 errata-xmlrpc 2024-10-03 11:01:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:7184 https://access.redhat.com/errata/RHSA-2024:7184
Comment 53 errata-xmlrpc 2024-10-03 11:22:54 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2024:7624 https://access.redhat.com/errata/RHSA-2024:7624
Comment 54 errata-xmlrpc 2024-10-07 12:50:29 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2024:7744 https://access.redhat.com/errata/RHSA-2024:7744
Comment 57 errata-xmlrpc 2024-10-14 01:36:32 UTC 
This issue has been addressed in the following products:

  CLUSTER-OBSERVABILITY-OPERATOR-0.4-RHEL-8

Via RHSA-2024:8040 https://access.redhat.com/errata/RHSA-2024:8040
Comment 58 errata-xmlrpc 2024-11-12 08:45:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9098 https://access.redhat.com/errata/RHSA-2024:9098
Comment 59 errata-xmlrpc 2024-11-12 08:48:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9115 https://access.redhat.com/errata/RHSA-2024:9115
Comment 60 errata-xmlrpc 2024-12-03 18:08:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:10518 https://access.redhat.com/errata/RHSA-2024:10518
Comment 61 errata-xmlrpc 2024-12-12 00:40:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:10823 https://access.redhat.com/errata/RHSA-2024:10823
Comment 62 errata-xmlrpc 2025-01-02 18:28:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:11562 https://access.redhat.com/errata/RHSA-2024:11562
Comment 63 errata-xmlrpc 2025-01-09 18:50:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:0029 https://access.redhat.com/errata/RHSA-2025:0029
Comment 64 errata-xmlrpc 2025-02-13 02:27:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2025:1116 https://access.redhat.com/errata/RHSA-2025:1116
Comment 65 errata-xmlrpc 2025-02-25 04:38:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2024:6122 https://access.redhat.com/errata/RHSA-2024:6122
Comment 66 errata-xmlrpc 2025-02-25 09:15:19 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:1829 https://access.redhat.com/errata/RHSA-2025:1829
Comment 69 errata-xmlrpc 2025-02-26 00:59:56 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:1865 https://access.redhat.com/errata/RHSA-2025:1865
Comment 70 errata-xmlrpc 2025-02-26 02:32:56 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:1866 https://access.redhat.com/errata/RHSA-2025:1866