2268372 – (CVE-2024-28110) CVE-2024-28110 cloudevents/sdk-go: usage of WithRoundTripper to create a Client leaks credentials

Bug 2268372 (CVE-2024-28110) - CVE-2024-28110 cloudevents/sdk-go: usage of WithRoundTripper to create a Client leaks credentials

Summary: CVE-2024-28110 cloudevents/sdk-go: usage of WithRoundTripper to create a Clie...

Keywords:
Status:	NEW
Alias:	CVE-2024-28110
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2268381
TreeView+	depends on / blocked

Reported:	2024-03-07 06:56 UTC by TEJ RATHI
Modified:	2024-04-12 11:18 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sdk-go 2.15.2
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in cloudevents/sdk-go. This issue involves using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper results in the go-sdk leaking credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport, causing it to send Authorization tokens to any endpoint it communicates with. This flaw allows an attacker to intercept and abuse these leaked credentials, potentially leading to unauthorized access to sensitive information or executing unauthorized actions on the affected system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:1333	0	None	None	None	2024-03-14 15:06:15 UTC

Description TEJ RATHI 2024-03-07 06:56:18 UTC

Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.

https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110
https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2

Comment 2 errata-xmlrpc 2024-03-14 15:06:14 UTC

This issue has been addressed in the following products:

  RHOSS-1.32-RHEL-8

Via RHSA-2024:1333 https://access.redhat.com/errata/RHSA-2024:1333

Note You need to log in before you can comment on or make changes to this bug.