Описание
Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.
A vulnerability was found in cloudevents/sdk-go. This issue involves using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper results in the go-sdk leaking credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport, causing it to send Authorization tokens to any endpoint it communicates with. This flaw allows an attacker to intercept and abuse these leaked credentials, potentially leading to unauthorized access to sensitive information or executing unauthorized actions on the affected system.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-522: Insufficiently Protected Credentials vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Access to the platform is granted only after successful hard token-based multi-factor authentication (MFA) and enforced through least privilege, ensuring only authorized users can execute or modify code. This secure access mechanism also protects credentials in transit, preventing interception or misuse. Domain accounts follow predefined lockout policies to detect repeated failed login attempts and reduce the risk of credential compromise. The platform further enforces identity verification through IAM roles, restricting infrastructure management to authorized personnel.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Pipelines | openshift-pipelines-client | Affected | ||
| OpenShift Serverless | openshift-serverless-clients | Not affected | ||
| Red Hat OpenShift Container Platform 4.15 | openshift4/ose-console | Fixed | RHSA-2024:8425 | 31.10.2024 |
| Red Hat OpenShift Container Platform 4.16 | openshift4/ose-cloud-event-proxy-rhel9 | Fixed | RHSA-2024:0040 | 27.06.2024 |
| Red Hat OpenShift Container Platform 4.16 | openshift4/ose-ptp-rhel9-operator | Fixed | RHSA-2024:0040 | 27.06.2024 |
| Red Hat OpenShift Container Platform 4.16 | openshift4/ose-console-rhel9 | Fixed | RHSA-2024:0041 | 27.06.2024 |
| RHOSS-1.32-RHEL-8 | openshift-serverless-1/client-kn-rhel8 | Fixed | RHSA-2024:1333 | 14.03.2024 |
| RHOSS-1.32-RHEL-8 | openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8 | Fixed | RHSA-2024:1333 | 14.03.2024 |
| RHOSS-1.32-RHEL-8 | openshift-serverless-1/eventing-controller-rhel8 | Fixed | RHSA-2024:1333 | 14.03.2024 |
| RHOSS-1.32-RHEL-8 | openshift-serverless-1/eventing-in-memory-channel-controller-rhel8 | Fixed | RHSA-2024:1333 | 14.03.2024 |
Показывать по
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.
Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials
Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials
Уязвимость функции WithRoundTripper() библиотеки для интеграции приложений с облачной инфраструктурой CloudEvents sdk-go, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
6.5 Medium
CVSS3