Unprotected Transport of Credentials in Go SDK for CloudEvents

#VU88097 Unprotected Transport of Credentials in Go SDK for CloudEvents

Published: 2024-04-03

Vulnerability identifier: #VU88097

Vulnerability risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-28110

CWE-ID: CWE-523

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go SDK for CloudEvents
Universal components / Libraries / Software for developers

Vendor: CloudEvents

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exist due to an error in the cloudevents.WithRoundTripper method used for creation of a cloudevents.Client with an authenticated http.RoundTripper. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. As a result, a remote attacker can intercept credentials leaked by the go-sdk.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go SDK for CloudEvents: 0.2 - 2.15.1

External links
http://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2
http://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
http://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat OpenShift Serverless

Credentials disclosure in Go SDK for CloudEvents