Bug 2294000 (CVE-2024-6104) - CVE-2024-6104 go-retryablehttp: url might write sensitive information to log file
Summary: CVE-2024-6104 go-retryablehttp: url might write sensitive information to log ...
Keywords:
Status: NEW
Alias: CVE-2024-6104
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2294001 2294002 2294004 2294005 2294006 2294008 2294009 2294010 2294011 2294012 2294114 2294117 2294003 2294007 2294013 2294014 2294110 2294111 2294112 2294113 2294115 2294116 2294118 2296267 2296270 2309720
Blocks: 2293999
TreeView+ depends on / blocked
 
Reported: 2024-06-24 21:41 UTC by Patrick Del Bello
Modified: 2024-10-14 01:36 UTC (History)
73 users (show)

Fixed In Version: go-retryablehttp 0.7.7
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in go-retryablehttp. The package may suffer from a lack of input sanitization by not cleaning up URL data when writing to the logs. This issue could expose sensitive authentication information.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:5335 0 None None None 2024-08-13 17:32:58 UTC
Red Hat Product Errata RHSA-2024:3722 0 None None None 2024-10-01 08:41:14 UTC
Red Hat Product Errata RHSA-2024:4316 0 None None None 2024-07-09 10:50:54 UTC
Red Hat Product Errata RHSA-2024:4321 0 None None None 2024-07-10 11:23:39 UTC
Red Hat Product Errata RHSA-2024:4479 0 None None None 2024-07-17 00:38:24 UTC
Red Hat Product Errata RHSA-2024:4613 0 None None None 2024-07-24 18:53:44 UTC
Red Hat Product Errata RHSA-2024:4699 0 None None None 2024-07-25 14:16:40 UTC
Red Hat Product Errata RHSA-2024:4846 0 None None None 2024-07-31 14:32:43 UTC
Red Hat Product Errata RHSA-2024:4848 0 None None None 2024-07-31 14:46:02 UTC
Red Hat Product Errata RHSA-2024:4853 0 None None None 2024-07-31 00:43:48 UTC
Red Hat Product Errata RHSA-2024:4858 0 None None None 2024-07-31 13:17:30 UTC
Red Hat Product Errata RHSA-2024:4872 0 None None None 2024-07-25 14:44:32 UTC
Red Hat Product Errata RHSA-2024:4960 0 None None None 2024-08-07 10:52:22 UTC
Red Hat Product Errata RHSA-2024:4963 0 None None None 2024-08-07 13:31:54 UTC
Red Hat Product Errata RHSA-2024:4965 0 None None None 2024-08-06 11:28:22 UTC
Red Hat Product Errata RHSA-2024:5107 0 None None None 2024-08-13 09:55:11 UTC
Red Hat Product Errata RHSA-2024:5160 0 None None None 2024-08-15 14:24:50 UTC
Red Hat Product Errata RHSA-2024:5194 0 None None None 2024-08-12 01:26:33 UTC
Red Hat Product Errata RHSA-2024:5199 0 None None None 2024-08-19 01:02:45 UTC
Red Hat Product Errata RHSA-2024:5200 0 None None None 2024-08-19 05:40:49 UTC
Red Hat Product Errata RHSA-2024:5258 0 None None None 2024-08-13 00:38:43 UTC
Red Hat Product Errata RHSA-2024:5433 0 None None None 2024-08-22 11:42:22 UTC
Red Hat Product Errata RHSA-2024:5444 0 None None None 2024-08-22 11:43:36 UTC
Red Hat Product Errata RHSA-2024:5446 0 None None None 2024-08-22 12:14:41 UTC
Red Hat Product Errata RHSA-2024:5547 0 None None None 2024-08-19 07:42:32 UTC
Red Hat Product Errata RHSA-2024:5634 0 None None None 2024-08-20 16:07:36 UTC
Red Hat Product Errata RHSA-2024:5808 0 None None None 2024-08-29 03:08:02 UTC
Red Hat Product Errata RHSA-2024:6004 0 None None None 2024-09-03 19:14:36 UTC
Red Hat Product Errata RHSA-2024:6009 0 None None None 2024-09-04 07:57:10 UTC
Red Hat Product Errata RHSA-2024:6054 0 None None None 2024-08-29 18:30:58 UTC
Red Hat Product Errata RHSA-2024:6194 0 None None None 2024-09-03 19:55:02 UTC
Red Hat Product Errata RHSA-2024:6406 0 None None None 2024-09-11 18:34:45 UTC
Red Hat Product Errata RHSA-2024:6409 0 None None None 2024-09-11 13:42:11 UTC
Red Hat Product Errata RHSA-2024:6642 0 None None None 2024-09-18 03:07:30 UTC
Red Hat Product Errata RHSA-2024:6738 0 None None None 2024-09-17 19:47:48 UTC
Red Hat Product Errata RHSA-2024:6755 0 None None None 2024-09-18 11:58:25 UTC
Red Hat Product Errata RHSA-2024:6811 0 None None None 2024-09-25 01:07:09 UTC
Red Hat Product Errata RHSA-2024:7184 0 None None None 2024-10-03 11:01:27 UTC
Red Hat Product Errata RHSA-2024:7624 0 None None None 2024-10-03 11:23:00 UTC
Red Hat Product Errata RHSA-2024:7744 0 None None None 2024-10-07 12:50:35 UTC
Red Hat Product Errata RHSA-2024:8040 0 None None None 2024-10-14 01:36:38 UTC

Description Patrick Del Bello 2024-06-24 21:41:33 UTC
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

https://discuss.hashicorp.com/c/security

Comment 1 Patrick Del Bello 2024-06-24 21:54:02 UTC
Created doctl tracking bugs for this issue:

Affects: fedora-all [bug 2294002]


Created golang-github-acme-lego tracking bugs for this issue:

Affects: fedora-all [bug 2294003]


Created golang-github-hashicorp-retryablehttp tracking bugs for this issue:

Affects: fedora-all [bug 2294004]


Created golang-github-moby-buildkit tracking bugs for this issue:

Affects: fedora-all [bug 2294005]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2294006]


Created opentofu tracking bugs for this issue:

Affects: fedora-all [bug 2294007]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2294008]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2294009]


Created skopeo tracking bugs for this issue:

Affects: fedora-all [bug 2294010]


Created stargz-snapshotter tracking bugs for this issue:

Affects: fedora-all [bug 2294011]


Created trivy tracking bugs for this issue:

Affects: fedora-all [bug 2294012]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2294013]


Created vultr-cli tracking bugs for this issue:

Affects: fedora-all [bug 2294014]

Comment 10 errata-xmlrpc 2024-07-09 10:50:48 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4316 https://access.redhat.com/errata/RHSA-2024:4316

Comment 11 errata-xmlrpc 2024-07-10 11:23:33 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4321 https://access.redhat.com/errata/RHSA-2024:4321

Comment 15 errata-xmlrpc 2024-07-17 00:38:18 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4479 https://access.redhat.com/errata/RHSA-2024:4479

Comment 17 errata-xmlrpc 2024-07-24 18:53:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4613 https://access.redhat.com/errata/RHSA-2024:4613

Comment 18 errata-xmlrpc 2024-07-25 14:16:34 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4699 https://access.redhat.com/errata/RHSA-2024:4699

Comment 19 errata-xmlrpc 2024-07-25 14:44:26 UTC
This issue has been addressed in the following products:

  RHOSS-1.33-RHEL-8

Via RHSA-2024:4872 https://access.redhat.com/errata/RHSA-2024:4872

Comment 20 errata-xmlrpc 2024-07-31 00:43:42 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4853 https://access.redhat.com/errata/RHSA-2024:4853

Comment 21 errata-xmlrpc 2024-07-31 13:17:25 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4858 https://access.redhat.com/errata/RHSA-2024:4858

Comment 22 errata-xmlrpc 2024-07-31 14:32:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:4846 https://access.redhat.com/errata/RHSA-2024:4846

Comment 23 errata-xmlrpc 2024-07-31 14:45:57 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:4848 https://access.redhat.com/errata/RHSA-2024:4848

Comment 24 errata-xmlrpc 2024-08-06 11:28:16 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4965 https://access.redhat.com/errata/RHSA-2024:4965

Comment 25 errata-xmlrpc 2024-08-07 10:52:15 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4960 https://access.redhat.com/errata/RHSA-2024:4960

Comment 26 errata-xmlrpc 2024-08-07 13:31:49 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4963 https://access.redhat.com/errata/RHSA-2024:4963

Comment 27 errata-xmlrpc 2024-08-12 01:26:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:5194 https://access.redhat.com/errata/RHSA-2024:5194

Comment 29 errata-xmlrpc 2024-08-13 00:38:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5258 https://access.redhat.com/errata/RHSA-2024:5258

Comment 30 errata-xmlrpc 2024-08-13 09:55:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:5107 https://access.redhat.com/errata/RHSA-2024:5107

Comment 31 errata-xmlrpc 2024-08-15 14:24:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:5160 https://access.redhat.com/errata/RHSA-2024:5160

Comment 32 errata-xmlrpc 2024-08-19 01:02:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:5199 https://access.redhat.com/errata/RHSA-2024:5199

Comment 33 errata-xmlrpc 2024-08-19 05:40:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:5200 https://access.redhat.com/errata/RHSA-2024:5200

Comment 34 errata-xmlrpc 2024-08-19 07:42:26 UTC
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:5547 https://access.redhat.com/errata/RHSA-2024:5547

Comment 35 errata-xmlrpc 2024-08-20 16:07:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:5634 https://access.redhat.com/errata/RHSA-2024:5634

Comment 36 errata-xmlrpc 2024-08-22 11:42:15 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433

Comment 37 errata-xmlrpc 2024-08-22 11:43:31 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:5444 https://access.redhat.com/errata/RHSA-2024:5444

Comment 38 errata-xmlrpc 2024-08-22 12:14:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:5446 https://access.redhat.com/errata/RHSA-2024:5446

Comment 39 errata-xmlrpc 2024-08-29 03:07:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:5808 https://access.redhat.com/errata/RHSA-2024:5808

Comment 40 errata-xmlrpc 2024-08-29 18:30:54 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:6054 https://access.redhat.com/errata/RHSA-2024:6054

Comment 41 errata-xmlrpc 2024-09-03 19:14:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:6004 https://access.redhat.com/errata/RHSA-2024:6004

Comment 42 errata-xmlrpc 2024-09-03 19:54:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6194 https://access.redhat.com/errata/RHSA-2024:6194

Comment 43 errata-xmlrpc 2024-09-04 07:57:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6009 https://access.redhat.com/errata/RHSA-2024:6009

Comment 44 errata-xmlrpc 2024-09-11 13:42:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:6409 https://access.redhat.com/errata/RHSA-2024:6409

Comment 45 errata-xmlrpc 2024-09-11 18:34:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:6406 https://access.redhat.com/errata/RHSA-2024:6406

Comment 46 errata-xmlrpc 2024-09-17 19:47:42 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.5 for RHEL 8
  multicluster engine for Kubernetes 2.5 for RHEL 9

Via RHSA-2024:6738 https://access.redhat.com/errata/RHSA-2024:6738

Comment 47 errata-xmlrpc 2024-09-18 03:07:24 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:6642 https://access.redhat.com/errata/RHSA-2024:6642

Comment 48 errata-xmlrpc 2024-09-18 11:58:19 UTC
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755

Comment 49 errata-xmlrpc 2024-09-25 01:07:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6811 https://access.redhat.com/errata/RHSA-2024:6811

Comment 51 errata-xmlrpc 2024-10-01 08:41:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:3722 https://access.redhat.com/errata/RHSA-2024:3722

Comment 52 errata-xmlrpc 2024-10-03 11:01:22 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:7184 https://access.redhat.com/errata/RHSA-2024:7184

Comment 53 errata-xmlrpc 2024-10-03 11:22:54 UTC
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2024:7624 https://access.redhat.com/errata/RHSA-2024:7624

Comment 54 errata-xmlrpc 2024-10-07 12:50:29 UTC
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2024:7744 https://access.redhat.com/errata/RHSA-2024:7744

Comment 57 errata-xmlrpc 2024-10-14 01:36:32 UTC
This issue has been addressed in the following products:

  CLUSTER-OBSERVABILITY-OPERATOR-0.4-RHEL-8

Via RHSA-2024:8040 https://access.redhat.com/errata/RHSA-2024:8040


Note You need to log in before you can comment on or make changes to this bug.