CVE-2024-28110 - Go SDK for CloudEvents Credential Leakage Vulnerability in Versions Prior to 2.15.2

Introduction:
This long-read post will discuss a vulnerability identified as CVE-2024-28110, which affects the Go SDK for CloudEvents, the official CloudEvents SDK to integrate applications with CloudEvents. Before version 2.15.2, creating a cloudevents.Client using cloudevents.WithRoundTripper and an authenticated http.RoundTripper can lead to the go-sdk leaking credentials to arbitrary endpoints. To mitigate this issue, developers are advised to update their Go SDK for CloudEvents to version 2.15.2 or later.

Original References

- Go SDK for CloudEvents GitHub Repository
- Go SDK for CloudEvents Release v2.15.2
- CVE-2024-28110

Exploit Details

In prior versions of the Go SDK for CloudEvents, when the cloudevents.WithRoundTripper function is used to create a cloudevents.Client with an authenticated http.RoundTripper, the go-sdk can leak credentials to any endpoint it contacts. The reason this occurs is because the authenticated transport is populated into the http.DefaultClient, which will then transmit the Authorization tokens when interacting with various endpoints.

Here is a code snippet demonstrating the issue

package main

import (
	"fmt"
	"net/http"
	
	"github.com/cloudevents/sdk-go/v2/client"
	"github.com/cloudevents/sdk-go/v2/cloudevents"
)

func main() {
	// Set up an authenticated http.RoundTripper
	roundTripper := &http.Transport{
		// add authentication details, e.g., tokens or certs
	}

	// Create cloudevents.Client with authenticated http.RoundTripper
	c, err := client.New(client.WithRoundTripper(roundTripper))
	if err != nil {
		fmt.Printf("Failed to create cloudevents client: %v", err)
		return
	}

	event := cloudevents.NewEvent()
	// set event details

	// Send event - credentials can leak to arbitrary endpoints!
	err = c.Send(context.Background(), event)
	if err != nil {
		fmt.Printf("Failed to send cloudevents event: %v", err)
	}
}

In this example, credentials provided in the http.RoundTripper will be leaked to the endpoints the cloudevents.Client sends the event to.

Mitigation

To resolve this vulnerability, developers should update their Go SDK for CloudEvents to version 2.15.2 or later. This version includes a patch that prevents the leakage of credentials when using a custom http.RoundTripper with the cloudevents.Client. You can find the v2.15.2 release on GitHub.

Conclusion

CVE-2024-28110 is a critical security vulnerability affecting the Go SDK for CloudEvents, which can result in the leakage of credentials to arbitrary endpoints when using the cloudevents.WithRoundTripper function. Developers should take immediate action to update their Go SDK for CloudEvents to version 2.15.2 or later in order to mitigate this risk and protect their applications from potential security threats.

Timeline

Published on: 03/06/2024 22:15:57 UTC
Last modified on: 03/07/2024 13:52:27 UTC