SB2024040352 - Credentials disclosure in Go SDK for CloudEvents

Description

This security bulletin contains information about 1 security vulnerability.

1) Unprotected Transport of Credentials (CVE-ID: CVE-2024-28110)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exist due to an error in the cloudevents.WithRoundTripper method used for creation of a cloudevents.Client with an authenticated http.RoundTripper. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. As a result, a remote attacker can intercept credentials leaked by the go-sdk.

Remediation

Install update from vendor's website.

References

• https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2
• https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
• https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110