{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28110", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-04T14:19:14.059Z", "datePublished": "2024-03-06T21:12:26.991Z", "dateUpdated": "2024-08-02T00:48:48.810Z"}, "containers": {"cna": {"title": "Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials", "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "lang": "en", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"}, {"name": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "tags": ["x_refsource_MISC"], "url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851"}, {"name": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "tags": ["x_refsource_MISC"], "url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110"}], "affected": [{"vendor": "cloudevents", "product": "sdk-go", "versions": [{"version": "< 2.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-06T21:12:26.991Z"}, "descriptions": [{"lang": "en", "value": "Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue."}], "source": {"advisory": "GHSA-5pf6-2qwx-pxm2", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "cloudevents", "product": "sdk_go", "cpes": ["cpe:2.3:a:cloudevents:sdk_go:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.15.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-07T16:39:07.678774Z", "id": "CVE-2024-28110", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T14:07:33.976Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:48.810Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"}, {"name": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851"}, {"name": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "name": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "name": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "name": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:48.810Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28110", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-07T16:39:07.678774Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cloudevents:sdk_go:*:*:*:*:*:*:*:*"], "vendor": "cloudevents", "product": "sdk_go", "versions": [{"status": "affected", "version": "0", "lessThan": "2.15.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T14:07:17.146Z"}}], "cna": {"title": "Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials", "source": {"advisory": "GHSA-5pf6-2qwx-pxm2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "cloudevents", "product": "sdk-go", "versions": [{"status": "affected", "version": "< 2.15.2"}]}], "references": [{"url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "name": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "name": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "name": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-06T21:12:26.991Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28110", "state": "PUBLISHED", "dateUpdated": "2024-08-02T00:48:48.810Z", "dateReserved": "2024-03-04T14:19:14.059Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-06T21:12:26.991Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue."}, {"lang": "es", "value": "Go SDK para CloudEvents es el SDK oficial de CloudEvents para integrar aplicaciones con CloudEvents. Antes de la versi\u00f3n 2.15.2, el uso de cloudevents.WithRoundTripper para crear un cloudevents.Client con un http.RoundTripper autenticado provocaba que go-sdk filtrara credenciales a endpoints arbitrarios. Cuando el transporte se completa con un transporte autenticado, http.DefaultClient se modifica con el transporte autenticado y comenzar\u00e1 a enviar tokens de autorizaci\u00f3n a cualquier endpoint con el que se utilice para contactar. La versi\u00f3n 2.15.2 soluciona este problema."}], "id": "CVE-2024-28110", "lastModified": "2024-03-07T13:52:27.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-06T22:15:57.550", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110"}, {"source": "security-advisories@github.com", "url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851"}, {"source": "security-advisories@github.com", "url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:0040", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-cloud-event-proxy-rhel9:v4.16.0-202406131906.p0.g3279440.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-06-27T00:00:00Z"}, {"advisory": "RHSA-2024:0040", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-ptp-rhel9-operator:v4.16.0-202406131906.p0.gc8a5dbf.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-06-27T00:00:00Z"}, {"advisory": "RHSA-2024:0041", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-console-rhel9:v4.16.0-202406140306.p0.gcb7b078.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-06-27T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/client-kn-rhel8:1.11.2-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-istio-controller-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-kafka-broker-controller-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-kafka-broker-dispatcher-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-kafka-broker-post-install-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-kafka-broker-receiver-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-kafka-broker-webhook-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/func-utils-rhel8:1.32.0-3", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.32.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.32.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:1.11.2-3", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/kourier-control-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/net-istio-controller-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/net-istio-webhook-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.32.0-9", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.32.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-activator-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-controller-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-queue-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.32.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/eventing-istio-controller-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/knative-client-plugin-event-sender-rhel8:1.11.0-3", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8:1.32.0-5", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/logic-operator-bundle:1.32.0-8", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/logic-rhel8-operator:1.32.0-8", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8:1.32.0-5", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8:1.32.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}], "bugzilla": {"description": "cloudevents/sdk-go: usage of WithRoundTripper to create a Client leaks credentials", "id": "2268372", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268372"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-522", "details": ["Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.", "A vulnerability was found in cloudevents/sdk-go. This issue involves using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper results in the go-sdk leaking credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport, causing it to send Authorization tokens to any endpoint it communicates with. This flaw allows an attacker to intercept and abuse these leaked credentials, potentially leading to unauthorized access to sensitive information or executing unauthorized actions on the affected system."], "name": "CVE-2024-28110", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines-client", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-clients", "product_name": "OpenShift Serverless"}], "public_date": "2024-03-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-28110\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-28110\nhttps://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"], "threat_severity": "Moderate", "upstream_fix": "sdk-go 2.15.2"}