ghsa-5pf6-2qwx-pxm2
Vulnerability from github
Published
2024-03-06 20:11
Modified
2024-03-12 15:22
Summary
Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials
Details
Impact
What kind of vulnerability is it? Who is impacted? Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.
The relevant code is here (also inline, emphasis added):
if p.Client == nil {
p.Client = **http.DefaultClient**
}
if p.roundTripper != nil {
p.Client.**Transport = p.roundTripper**
}
When the transport is populated with an authenticated transport such as: - oauth2.Transport - idtoken.NewClient(...).Transport
... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact!
Found and patched by: @tcnghia and @mattmoor
Patches
v.2.15.2
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.15.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/cloudevents/sdk-go/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.15.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28110"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2024-03-06T20:11:59Z",
"nvd_published_at": "2024-03-06T22:15:57Z",
"severity": "MODERATE"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nUsing cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.\n\nThe relevant code is [here](https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110) (also inline, emphasis added):\n\n\u003cpre\u003eif p.Client == nil {\n p.Client = **http.DefaultClient**\n}\n\nif p.roundTripper != nil {\n p.Client.**Transport = p.roundTripper**\n}\n\u003c/pre\u003e\n\nWhen the transport is populated with an authenticated transport such as:\n- [oauth2.Transport](https://pkg.go.dev/golang.org/x/oauth2#Transport)\n- [idtoken.NewClient(...).Transport](https://pkg.go.dev/google.golang.org/api/idtoken#NewClient)\n\n... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to\n**any endpoint** it is used to contact!\n\nFound and patched by: @tcnghia and @mattmoor\n\n### Patches\nv.2.15.2\n",
"id": "GHSA-5pf6-2qwx-pxm2",
"modified": "2024-03-12T15:22:22Z",
"published": "2024-03-06T20:11:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"
},
{
"type": "WEB",
"url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851"
},
{
"type": "PACKAGE",
"url": "https://github.com/cloudevents/sdk-go"
},
{
"type": "WEB",
"url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Go SDK for CloudEvents\u0027s use of WithRoundTripper to create a Client leaks credentials"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.