Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials
Moderate severity
GitHub Reviewed
Published
Mar 6, 2024
in
cloudevents/sdk-go
•
Updated Mar 12, 2024
Description
Published to the GitHub Advisory Database
Mar 6, 2024
Reviewed
Mar 6, 2024
Published by the National Vulnerability Database
Mar 6, 2024
Last updated
Mar 12, 2024
Impact
What kind of vulnerability is it? Who is impacted?
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.
The relevant code is here (also inline, emphasis added):
When the transport is populated with an authenticated transport such as:
... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to
any endpoint it is used to contact!
Found and patched by: @tcnghia and @mattmoor
Patches
v.2.15.2
References