CVE-2024-28110

{"id": "CVE-2024-28110", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-03-06T22:15:57.550", "references": [{"url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue."}, {"lang": "es", "value": "Go SDK para CloudEvents es el SDK oficial de CloudEvents para integrar aplicaciones con CloudEvents. Antes de la versi\u00f3n 2.15.2, el uso de cloudevents.WithRoundTripper para crear un cloudevents.Client con un http.RoundTripper autenticado provocaba que go-sdk filtrara credenciales a endpoints arbitrarios. Cuando el transporte se completa con un transporte autenticado, http.DefaultClient se modifica con el transporte autenticado y comenzar\u00e1 a enviar tokens de autorizaci\u00f3n a cualquier endpoint con el que se utilice para contactar. La versi\u00f3n 2.15.2 soluciona este problema."}], "lastModified": "2025-12-04T20:57:21.163", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cloudevents:go_sdk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0583C6C8-2F72-482C-AA79-4F36A0B10B4A", "versionEndIncluding": "2.15.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}