{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28110", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-04T14:19:14.059Z", "datePublished": "2024-03-06T21:12:26.991Z", "dateUpdated": "2025-04-16T15:54:15.341Z"}, "containers": {"cna": {"title": "Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials", "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "lang": "en", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"}, {"name": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "tags": ["x_refsource_MISC"], "url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851"}, {"name": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "tags": ["x_refsource_MISC"], "url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110"}], "affected": [{"vendor": "cloudevents", "product": "sdk-go", "versions": [{"version": "< 2.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-06T21:12:26.991Z"}, "descriptions": [{"lang": "en", "value": "Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue."}], "source": {"advisory": "GHSA-5pf6-2qwx-pxm2", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "cloudevents", "product": "sdk_go", "cpes": ["cpe:2.3:a:cloudevents:sdk_go:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.15.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-07T16:39:07.678774Z", "id": "CVE-2024-28110", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T15:54:15.341Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:48.810Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"}, {"name": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851"}, {"name": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "name": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "name": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "name": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:48.810Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28110", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-07T16:39:07.678774Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cloudevents:sdk_go:*:*:*:*:*:*:*:*"], "vendor": "cloudevents", "product": "sdk_go", "versions": [{"status": "affected", "version": "0", "lessThan": "2.15.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T14:07:17.146Z"}}], "cna": {"title": "Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials", "source": {"advisory": "GHSA-5pf6-2qwx-pxm2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "cloudevents", "product": "sdk-go", "versions": [{"status": "affected", "version": "< 2.15.2"}]}], "references": [{"url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "name": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "name": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "name": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-06T21:12:26.991Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28110", "state": "PUBLISHED", "dateUpdated": "2025-04-16T15:54:15.341Z", "dateReserved": "2024-03-04T14:19:14.059Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-06T21:12:26.991Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue."}, {"lang": "es", "value": "Go SDK para CloudEvents es el SDK oficial de CloudEvents para integrar aplicaciones con CloudEvents. Antes de la versi\u00f3n 2.15.2, el uso de cloudevents.WithRoundTripper para crear un cloudevents.Client con un http.RoundTripper autenticado provocaba que go-sdk filtrara credenciales a endpoints arbitrarios. Cuando el transporte se completa con un transporte autenticado, http.DefaultClient se modifica con el transporte autenticado y comenzar\u00e1 a enviar tokens de autorizaci\u00f3n a cualquier endpoint con el que se utilice para contactar. La versi\u00f3n 2.15.2 soluciona este problema."}], "id": "CVE-2024-28110", "lastModified": "2024-11-21T09:05:50.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-06T22:15:57.550", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110"}, {"source": "security-advisories@github.com", "url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851"}, {"source": "security-advisories@github.com", "url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:8425", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "openshift4/ose-console:v4.15.0-202410240435.p0.g51f940e.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:0040", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-cloud-event-proxy-rhel9:v4.16.0-202406131906.p0.g3279440.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-06-27T00:00:00Z"}, {"advisory": "RHSA-2024:0040", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-ptp-rhel9-operator:v4.16.0-202406131906.p0.gc8a5dbf.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-06-27T00:00:00Z"}, {"advisory": "RHSA-2024:0041", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-console-rhel9:v4.16.0-202406140306.p0.gcb7b078.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-06-27T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/client-kn-rhel8:1.11.2-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-istio-controller-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-kafka-broker-controller-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-kafka-broker-dispatcher-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-kafka-broker-post-install-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-kafka-broker-receiver-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-kafka-broker-webhook-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:1.11.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/func-utils-rhel8:1.32.0-3", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.32.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.32.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:1.11.2-3", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/kourier-control-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/net-istio-controller-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/net-istio-webhook-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.32.0-9", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.32.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-activator-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-controller-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-queue-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.32.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/eventing-istio-controller-rhel8:1.11.0-2", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/knative-client-plugin-event-sender-rhel8:1.11.0-3", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8:1.32.0-5", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/logic-operator-bundle:1.32.0-8", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/logic-rhel8-operator:1.32.0-8", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8:1.32.0-5", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1333", "cpe": "cpe:/a:redhat:openshift_serverless:1.32::el8", "package": "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8:1.32.0-4", "product_name": "RHOSS-1.32-RHEL-8", "release_date": "2024-03-14T00:00:00Z"}], "bugzilla": {"description": "cloudevents/sdk-go: usage of WithRoundTripper to create a Client leaks credentials", "id": "2268372", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268372"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-522", "details": ["Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.", "A vulnerability was found in cloudevents/sdk-go. This issue involves using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper results in the go-sdk leaking credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport, causing it to send Authorization tokens to any endpoint it communicates with. This flaw allows an attacker to intercept and abuse these leaked credentials, potentially leading to unauthorized access to sensitive information or executing unauthorized actions on the affected system."], "name": "CVE-2024-28110", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines-client", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-clients", "product_name": "OpenShift Serverless"}], "public_date": "2024-03-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-28110\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-28110\nhttps://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"], "statement": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-522: Insufficiently Protected Credentials vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nAccess to the platform is granted only after successful hard token-based multi-factor authentication (MFA) and enforced through least privilege, ensuring only authorized users can execute or modify code. This secure access mechanism also protects credentials in transit, preventing interception or misuse. Domain accounts follow predefined lockout policies to detect repeated failed login attempts and reduce the risk of credential compromise. The platform further enforces identity verification through IAM roles, restricting infrastructure management to authorized personnel.", "threat_severity": "Moderate"}