CVE-2024-28110
HIGHCloudevents GO SDK < 2.15.1 - Insufficiently Protected Credentials
Title source: ruleDescription
Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2
Patch x_refsource_misc
https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
Scores
CVSS v3
7.5
EPSS
0.0014
EPSS Percentile
33.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-522
Status
published
Products (2)
cloudevents/go_sdk
< 2.15.1
cloudevents/sdk-go
0 - 2.15.2Go
Published
Mar 06, 2024
Tracked Since
Feb 18, 2026