CVE-2024-28110
HIGHCloudevents GO SDK < 2.15.1 - Insufficiently Protected Credentials
Title source: ruleDescription
Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.
Scores
CVSS v3
7.5
EPSS
0.0014
EPSS Percentile
33.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Classification
CWE
CWE-522
Status
published
Affected Products (2)
cloudevents/go_sdk
< 2.15.1
cloudevents/sdk-go
< 2.15.2Go
Timeline
Published
Mar 06, 2024
Tracked Since
Feb 18, 2026