Headline
GHSA-5pf6-2qwx-pxm2: Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials
Impact
What kind of vulnerability is it? Who is impacted? Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.
The relevant code is here (also inline, emphasis added):
<pre>if p.Client == nil { p.Client = http.DefaultClient }
if p.roundTripper != nil { p.Client.Transport = p.roundTripper } </pre>
When the transport is populated with an authenticated transport such as:
… then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact!
Found and patched by: @tcnghia and @mattmoor
Patches
v.2.15.2
Package
gomod github.com/cloudevents/sdk-go/v2 (Go)
Affected versions
<= 2.15.1
Patched versions
2.15.2
Description
Impact
What kind of vulnerability is it? Who is impacted?
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.
The relevant code is here (also inline, emphasis added):
if p.Client == nil { p.Client = **http.DefaultClient** }
if p.roundTripper != nil { p.Client.**Transport = p.roundTripper** }
When the transport is populated with an authenticated transport such as:
- oauth2.Transport
- idtoken.NewClient(…).Transport
… then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to
any endpoint it is used to contact!
Found and patched by: @tcnghia and @mattmoor
Patches
v.2.15.2
References
- GHSA-5pf6-2qwx-pxm2
- cloudevents/sdk-go@de2f283
- https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110
duglin published to cloudevents/sdk-go
Mar 6, 2024
Published to the GitHub Advisory Database
Mar 6, 2024
Reviewed
Mar 6, 2024
Related news
Red Hat Security Advisory 2024-8425-03 - Red Hat OpenShift Container Platform release 4.15.37 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-1333-03 - Red Hat OpenShift Serverless version 1.32.0 is now available.