CVE-2024-28110

Опубликовано: 30 июн. 2024

Источник: msrc

CVSS3: 7.5

EPSS Низкий

Описание

Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials

FAQ

Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?

One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.

EPSS

Процентиль: 34%

0.00137

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2024-28110

CVSS3: 6.5

redhat

почти 2 года назад

Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.

CVE-2024-28110

CVSS3: 7.5

nvd

почти 2 года назад

GHSA-5pf6-2qwx-pxm2

github

почти 2 года назад

Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials

BDU:2024-02146

CVSS3: 7.5

fstec

почти 2 года назад

Уязвимость функции WithRoundTripper() библиотеки для интеграции приложений с облачной инфраструктурой CloudEvents sdk-go, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 34%

0.00137

Низкий

7.5 High

CVSS3