GHSA-5pf6-2qwx-pxm2: Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials

Package

gomod github.com/cloudevents/sdk-go/v2 (Go)

Affected versions

<= 2.15.1

Patched versions

2.15.2

Description

Impact

What kind of vulnerability is it? Who is impacted?
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.

The relevant code is here (also inline, emphasis added):

if p.Client == nil { p.Client = **http.DefaultClient** }

if p.roundTripper != nil { p.Client.**Transport = p.roundTripper** }

When the transport is populated with an authenticated transport such as:

• oauth2.Transport
• idtoken.NewClient(…).Transport

… then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to
any endpoint it is used to contact!

Found and patched by: @tcnghia and @mattmoor

Patches

v.2.15.2

References

• GHSA-5pf6-2qwx-pxm2
• cloudevents/sdk-go@de2f283
• https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110

duglin published to cloudevents/sdk-go

Mar 6, 2024

Published to the GitHub Advisory Database

Mar 6, 2024

Reviewed

Mar 6, 2024