Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS12NnY4LXhqNm0teHdxaM4AA9UK

Moderate EPSS: 9.0e-05% (0.00645 Percentile) EPSS:
Permalink JSON

go-retryablehttp can leak basic auth credentials to log files

Affected Packages Affected Versions Fixed Versions
go:github.com/hashicorp/go-retryablehttp < 0.7.7 0.7.7
10,318 Dependent packages
34,302 Dependent repositories

Affected Version Ranges

All affected versions

0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6

All unaffected versions

0.7.7, 0.7.8

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

References:

Identifiers

GHSA-v6v8-xj6m-xwqh

CVE-2024-6104

Risk

Severity

Moderate

EPSS

EPSS Percentage: 9.0e-05

EPSS Percentile: 0.00645

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/hashicorp/go-retryablehttp

Date and time

Published

about 1 year ago

Updated

about 1 year ago

API

JSON