Lucene search

K
githubGitHub Advisory DatabaseGHSA-V6V8-XJ6M-XWQH
HistoryJun 24, 2024 - 6:31 p.m.

go-retryablehttp can leak basic auth credentials to log files

2024-06-2418:31:37
CWE-532
GitHub Advisory Database
github.com
10
go-retryablehttp
log files
vulnerability
cve-2024-6104
fixed
version 0.7.7

CVSS3

6

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

EPSS

0

Percentile

9.1%

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

Affected configurations

Vulners
Node
hashicorpretryablehttpRange<0.7.7go
VendorProductVersionCPE
hashicorpretryablehttp*cpe:2.3:a:hashicorp:retryablehttp:*:*:*:*:*:go:*:*

CVSS3

6

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

EPSS

0

Percentile

9.1%