GoogleOSV:GHSA-5PF6-2QWX-PXM2Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%
Impact
What kind of vulnerability is it? Who is impacted?
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.
The relevant code is here (also inline, emphasis added):
<pre>if p.Client == nil {
p.Client = http.DefaultClient
}
if p.roundTripper != nil {
p.Client.Transport = p.roundTripper
}
</pre>
When the transport is populated with an authenticated transport such as:
… then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to
any endpoint it is used to contact!
Found and patched by: @tcnghia and @mattmoor
Patches
v.2.15.2
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/cloudevents/sdk-go/v2 | lt | 2.15.2 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%