Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-5pf6-2qwx-pxm2: Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials

Impact

What kind of vulnerability is it? Who is impacted? Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.

The relevant code is here (also inline, emphasis added):

<pre>if p.Client == nil { p.Client = http.DefaultClient }

if p.roundTripper != nil { p.Client.Transport = p.roundTripper } </pre>

When the transport is populated with an authenticated transport such as:

… then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact!

Found and patched by: @tcnghia and @mattmoor

Patches

v.2.15.2

ghsa
#vulnerability#google#git#oauth#auth

Package

gomod github.com/cloudevents/sdk-go/v2 (Go)

Affected versions

<= 2.15.1

Patched versions

2.15.2

Description

Impact

What kind of vulnerability is it? Who is impacted?
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.

The relevant code is here (also inline, emphasis added):

if p.Client == nil { p.Client = **http.DefaultClient** }

if p.roundTripper != nil { p.Client.**Transport = p.roundTripper** }

When the transport is populated with an authenticated transport such as:

  • oauth2.Transport
  • idtoken.NewClient(…).Transport

… then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to
any endpoint it is used to contact!

Found and patched by: @tcnghia and @mattmoor

Patches

v.2.15.2

References

  • GHSA-5pf6-2qwx-pxm2
  • cloudevents/sdk-go@de2f283
  • https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110

duglin published to cloudevents/sdk-go

Mar 6, 2024

Published to the GitHub Advisory Database

Mar 6, 2024

Reviewed

Mar 6, 2024

Related news

Red Hat Security Advisory 2024-8425-03

Red Hat Security Advisory 2024-8425-03 - Red Hat OpenShift Container Platform release 4.15.37 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

Red Hat Security Advisory 2024-0041-03

Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.

Red Hat Security Advisory 2024-1333-03

Red Hat Security Advisory 2024-1333-03 - Red Hat OpenShift Serverless version 1.32.0 is now available.