cve 2024 28110

CVE-2024-28110 is a vulnerability in the CloudEvents Go SDK that can leak authentication tokens via the default HTTP client. Prior to version v2.15.2, using the WithRoundTripper function with an authenticated http.RoundTripper causes the SDK to modify http.DefaultClient, potentially sending Authorization tokens to unintended endpoints. Microsoft's advisory identifies Azure Linux as a product that includes the affected open-source component. The bug has been patched upstream, and Microsoft will update its attestation if other products are found to ship the library. This tag covers discussions about the vulnerability, its impact on token security, and mitigation steps for users of the CloudEvents Go SDK.