{
  "schema_version": "1.4.0",
  "id": "GHSA-5pf6-2qwx-pxm2",
  "modified": "2024-03-12T15:22:22Z",
  "published": "2024-03-06T20:11:59Z",
  "aliases": [
    "CVE-2024-28110"
  ],
  "summary": "Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials",
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nUsing cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.\n\nThe relevant code is [here](https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110) (also inline, emphasis added):\n\n<pre>if p.Client == nil {\n  p.Client = **http.DefaultClient**\n}\n\nif p.roundTripper != nil {\n  p.Client.**Transport = p.roundTripper**\n}\n</pre>\n\nWhen the transport is populated with an authenticated transport such as:\n- [oauth2.Transport](https://pkg.go.dev/golang.org/x/oauth2#Transport)\n- [idtoken.NewClient(...).Transport](https://pkg.go.dev/google.golang.org/api/idtoken#NewClient)\n\n... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to\n**any endpoint** it is used to contact!\n\nFound and patched by: @tcnghia and @mattmoor\n\n### Patches\nv.2.15.2\n",
  "severity": [],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cloudevents/sdk-go/v2"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.15.2"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "<= 2.15.1"
      }
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudevents/sdk-go"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110"
    }
  ],
  "database_specific": {
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-06T20:11:59Z",
    "nvd_published_at": "2024-03-06T22:15:57Z"
  }
}