Credentials disclosure in Go SDK for CloudEvents
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-28110 |
| CWE-ID | CWE-523 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Go SDK for CloudEvents Universal components / Libraries / Software for developers |
| Vendor | CloudEvents |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Unprotected Transport of Credentials
EUVDB-ID: #VU88097
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-28110
CWE-ID:
CWE-523 - Unprotected Transport of Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exist due to an error in the cloudevents.WithRoundTripper method used for creation of a cloudevents.Client with an authenticated http.RoundTripper. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. As a result, a remote attacker can intercept credentials leaked by the go-sdk.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGo SDK for CloudEvents: 0.2 - 2.15.1
External linkshttp://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2
http://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
http://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
