Vulnerability identifier: #VU88097
Vulnerability risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-523
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Go SDK for CloudEvents
Universal components / Libraries /
Software for developers
Vendor: CloudEvents
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exist due to an error in the cloudevents.WithRoundTripper method used for creation of a cloudevents.Client with an authenticated http.RoundTripper. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. As a result, a remote attacker can intercept credentials leaked by the go-sdk.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Go SDK for CloudEvents: 0.2 - 2.15.1
External links
http://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2
http://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
http://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.