CVE-2024-28110

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Mar 6, 2024

Updated: Mar 7, 2024

CWE ID 522

Summary

CVE-2024-28110 is a vulnerability affecting the Go SDK for CloudEvents before version 2.15.2. This SDK is used to integrate applications with CloudEvents. The issue arises when cloudevents.WithRoundTripper is used to create a cloudevents.Client with an authenticated http.RoundTripper. This action causes the SDK to inadvertently leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, the go-sdk modifies http.DefaultClient with the authenticated transport, resulting in the unintended transmission of Authorization tokens to any endpoint contacted using the default client. Version 2.15.2 addresses this issue by implementing proper handling of authenticated transports.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database