CVE-2024-28110

EPSS 0.14%
Veröffentlicht 06.03.2024 22:15:57
Zuletzt bearbeitet 04.12.2025 20:57:21
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cloudevents ≫ Go Sdk Version <= 2.15.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.343

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110

Product

https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851

Patch

https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-28110

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-28110

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-28110

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-28110