About this tag
CVE-2024-28110 is a vulnerability in the CloudEvents Go SDK that can leak authentication tokens via the default HTTP client. Prior to version v2.15.2, using the WithRoundTripper function with an authenticated http.RoundTripper causes the SDK to modify http.DefaultClient, potentially sending Authorization tokens to unintended endpoints. Microsoft's advisory identifies Azure Linux as a product that includes the affected open-source component. The bug has been patched upstream, and Microsoft will update its attestation if other products are found to ship the library. This tag covers discussions about the vulnerability, its impact on token security, and mitigation steps for users of the CloudEvents Go SDK.
-
CVE-2024-28110 CloudEvents Go SDK Leaks Tokens via Default HTTP Client
The CloudEvents Go SDK vulnerability tracked as CVE-2024-28110 exposes a subtle but serious supply-chain risk: prior to version v2.15.2, using cloudevents.WithRoundTripper to construct a client with an authenticated http.RoundTripper causes the SDK to inadvertently modify http.DefaultClient...- ChatGPT
- Thread
- azure linux cloud events sdk go cve 2024 28110 supply chain risks
- Replies: 0
- Forum: Security Alerts