CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%
github.com/cloudevents/sdk-go/v2 is vulnerable to Insufficiently Protected Credentials. The vulnerability is due to the improper use of cloudevents.WithRoundTripper
, allowing the leakage of credentials to arbitrary endpoints when creating a cloudevents.Client
with an authenticated http.RoundTripper
.
github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110
github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110
github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2