{ "threat_severity" : "Moderate", "public_date" : "2024-03-06T00:00:00Z", "bugzilla" : { "description" : "cloudevents/sdk-go: usage of WithRoundTripper to create a Client leaks credentials", "id" : "2268372", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2268372" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-522", "details" : [ "Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.", "A vulnerability was found in cloudevents/sdk-go. This issue involves using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper results in the go-sdk leaking credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport, causing it to send Authorization tokens to any endpoint it communicates with. This flaw allows an attacker to intercept and abuse these leaked credentials, potentially leading to unauthorized access to sensitive information or executing unauthorized actions on the affected system." ], "affected_release" : [ { "product_name" : "OpenShift-Pipelines-1.15-RHEL-8", "release_date" : "2024-06-20T00:00:00Z", "advisory" : "RHEA-2024:4022", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.15::el8", "package" : "openshift-pipelines-client-0:1.15.0-11496.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.15", "release_date" : "2024-10-31T00:00:00Z", "advisory" : "RHSA-2024:8425", "cpe" : "cpe:/a:redhat:openshift:4.15::el8", "package" : "openshift4/ose-console:v4.15.0-202410240435.p0.g51f940e.assembly.stream.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.16", "release_date" : "2024-06-27T00:00:00Z", "advisory" : "RHSA-2024:0040", "cpe" : "cpe:/a:redhat:openshift:4.16::el9", "package" : "openshift4/ose-cloud-event-proxy-rhel9:v4.16.0-202406131906.p0.g3279440.assembly.stream.el9" }, { "product_name" : "Red Hat OpenShift Container Platform 4.16", "release_date" : "2024-06-27T00:00:00Z", "advisory" : "RHSA-2024:0040", "cpe" : "cpe:/a:redhat:openshift:4.16::el9", "package" : "openshift4/ose-ptp-rhel9-operator:v4.16.0-202406131906.p0.gc8a5dbf.assembly.stream.el9" }, { "product_name" : "Red Hat OpenShift Container Platform 4.16", "release_date" : "2024-06-27T00:00:00Z", "advisory" : "RHSA-2024:0041", "cpe" : "cpe:/a:redhat:openshift:4.16::el9", "package" : "openshift4/ose-console-rhel9:v4.16.0-202406140306.p0.gcb7b078.assembly.stream.el9" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/client-kn-rhel8:1.11.2-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-controller-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-istio-controller-rhel8:1.11.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-kafka-broker-controller-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-kafka-broker-dispatcher-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-kafka-broker-post-install-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-kafka-broker-receiver-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-kafka-broker-webhook-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-mtbroker-filter-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-mtchannel-broker-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-mtping-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-storage-version-migration-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/eventing-webhook-rhel8:1.11.0-4" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/func-utils-rhel8:1.32.0-3" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/ingress-rhel8-operator:1.32.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/knative-rhel8-operator:1.32.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/kn-cli-artifacts-rhel8:1.11.2-3" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/kourier-control-rhel8:1.11.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/net-istio-controller-rhel8:1.11.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/net-istio-webhook-rhel8:1.11.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/serverless-operator-bundle:1.32.0-9" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/serverless-rhel8-operator:1.32.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/serving-activator-rhel8:1.11.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/serving-autoscaler-hpa-rhel8:1.11.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/serving-autoscaler-rhel8:1.11.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/serving-controller-rhel8:1.11.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/serving-queue-rhel8:1.11.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/serving-storage-version-migration-rhel8:1.11.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/serving-webhook-rhel8:1.11.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1/svls-must-gather-rhel8:1.32.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1-tech-preview/eventing-istio-controller-rhel8:1.11.0-2" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1-tech-preview/knative-client-plugin-event-sender-rhel8:1.11.0-3" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8:1.32.0-5" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1-tech-preview/logic-operator-bundle:1.32.0-8" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1-tech-preview/logic-rhel8-operator:1.32.0-8" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8:1.32.0-5" }, { "product_name" : "RHOSS-1.32-RHEL-8", "release_date" : "2024-03-14T00:00:00Z", "advisory" : "RHSA-2024:1333", "cpe" : "cpe:/a:redhat:openshift_serverless:1.32::el8", "package" : "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8:1.32.0-4" } ], "package_state" : [ { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-clients", "cpe" : "cpe:/a:redhat:serverless:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-28110\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-28110\nhttps://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2" ], "name" : "CVE-2024-28110", "csaw" : false }