CVE-2024-28110

Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials

Description

Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.07%
Affected: cloudevents sdk-go
Published at:
Updated at:

References

Link Tags
https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2
https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110

Frequently Asked Questions

What is the severity of CVE-2024-28110?
CVE-2024-28110 has been scored as a high severity vulnerability.
How to fix CVE-2024-28110?
To fix CVE-2024-28110, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-28110 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-28110 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-28110?
CVE-2024-28110 affects cloudevents sdk-go.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.