CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%
What kind of vulnerability is it? Who is impacted?
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.
The relevant code is here (also inline, emphasis added):
<pre>if p.Client == nil {
p.Client = http.DefaultClient
}
if p.roundTripper != nil {
p.Client.Transport = p.roundTripper
}
</pre>
When the transport is populated with an authenticated transport such as:
… then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to
any endpoint it is used to contact!
Found and patched by: @tcnghia and @mattmoor
v.2.15.2
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%