GHSA-xr7q-jx4m-x55m

Source

https://github.com/advisories/GHSA-xr7q-jx4m-x55m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-xr7q-jx4m-x55m/GHSA-xr7q-jx4m-x55m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xr7q-jx4m-x55m

Aliases

GO-2024-2978

Related

Published

2024-07-05T20:07:01Z

Modified

2024-07-09T21:38:29Z

Summary

Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go

Details

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

References

Affected packages

Go / google.golang.org/grpc

Package

Name: google.golang.org/grpc; View open source insights on deps.dev
Purl: pkg:golang/google.golang.org/grpc

Affected ranges

Type: SEMVER
Events: Introduced

1.64.0

Fixed

1.64.1