#VU88097 Unprotected Transport of Credentials in Go SDK for CloudEvents - CVE-2024-28110
Published: April 3, 2024
Vulnerability identifier: #VU88097
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-28110
CWE-ID: CWE-523
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Go SDK for CloudEvents
Go SDK for CloudEvents
Software vendor:
CloudEvents
CloudEvents
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exist due to an error in the cloudevents.WithRoundTripper method used for creation of a cloudevents.Client with an authenticated http.RoundTripper. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. As a result, a remote attacker can intercept credentials leaked by the go-sdk.
Remediation
Install updates from vendor's website.