GHSA-5pf6-2qwx-pxm2

Source

https://github.com/advisories/GHSA-5pf6-2qwx-pxm2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-5pf6-2qwx-pxm2/GHSA-5pf6-2qwx-pxm2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5pf6-2qwx-pxm2

Aliases

Related

Published

2024-03-06T20:11:59Z

Modified

2024-03-12T15:22:22Z

Summary

Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials

Details

Impact

What kind of vulnerability is it? Who is impacted? Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.

The relevant code is here (also inline, emphasis added):

<pre>if p.Client == nil { p.Client = http.DefaultClient }

if p.roundTripper != nil { p.Client.Transport = p.roundTripper } </pre>

When the transport is populated with an authenticated transport such as: - oauth2.Transport - idtoken.NewClient(...).Transport

... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact!

Found and patched by: @tcnghia and @mattmoor

Patches

v.2.15.2

Database specific

{
    "nvd_published_at": "2024-03-06T22:15:57Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-06T20:11:59Z"
}

References

Affected packages

Go / github.com/cloudevents/sdk-go/v2

Package

Name: github.com/cloudevents/sdk-go/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/cloudevents/sdk-go/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.15.2

Database specific

{
    "last_known_affected_version_range": "<= 2.15.1"
}