CVE-2024-28110
Authentication token leak in github.com/cloudevents/sdk-go/v2
7.5
HIGH
CVSS 3.1
EPSS 0.14%
Description
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact.
How to fix CVE-2024-28110
To remediate CVE-2024-28110, upgrade the affected package to a fixed version below.
- —upgrade to 2.15.2 or later
- —upgrade to 2.15.2 or later
Is CVE-2024-28110 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.15.2
- from 0, < 2.15.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (4)
- PATCHgithub.com/cloudevents/sdk-go
- WEBgithub.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110
- WEBgithub.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
- WEBgithub.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2