data/reports: add GO-2024-2618.yaml
Aliases: CVE-2024-28110, GHSA-5pf6-2qwx-pxm2
Fixes golang/vulndb#2618
Change-Id: I6290d80446b726721a328eb8d6fa283dfe92d1d8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/570725
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Auto-Submit: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2024-2618.json b/data/osv/GO-2024-2618.json
new file mode 100644
index 0000000..5180301
--- /dev/null
+++ b/data/osv/GO-2024-2618.json
@@ -0,0 +1,68 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2618",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-28110",
+ "GHSA-5pf6-2qwx-pxm2"
+ ],
+ "summary": "Authentication token leak in github.com/cloudevents/sdk-go/v2",
+ "details": "Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/cloudevents/sdk-go/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.15.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/cloudevents/sdk-go/v2/protocol/http",
+ "symbols": [
+ "New"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110"
+ }
+ ],
+ "credits": [
+ {
+ "name": "mattmoor"
+ },
+ {
+ "name": "tcnghia"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2618"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2618.yaml b/data/reports/GO-2024-2618.yaml
new file mode 100644
index 0000000..881a94a
--- /dev/null
+++ b/data/reports/GO-2024-2618.yaml
@@ -0,0 +1,28 @@
+id: GO-2024-2618
+modules:
+ - module: github.com/cloudevents/sdk-go/v2
+ versions:
+ - fixed: 2.15.2
+ vulnerable_at: 2.15.1
+ packages:
+ - package: github.com/cloudevents/sdk-go/v2/protocol/http
+ symbols:
+ - New
+summary: Authentication token leak in github.com/cloudevents/sdk-go/v2
+description: |-
+ Using cloudevents.WithRoundTripper to create a cloudevents.Client with an
+ authenticated http.RoundTripper causes the go-sdk to leak credentials to
+ arbitrary endpoints. When the transport is populated with an authenticated
+ transport, http.DefaultClient is modified with the authenticated transport and
+ will start to send Authorization tokens to any endpoint it is used to contact.
+cves:
+ - CVE-2024-28110
+ghsas:
+ - GHSA-5pf6-2qwx-pxm2
+credits:
+ - mattmoor
+ - tcnghia
+references:
+ - advisory: https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2
+ - fix: https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
+ - web: https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110
