Bug 1227024 (CVE-2024-6104)

Summary: VUL-0: CVE-2024-6104: TRACKERBUG: hashicorp/go-retryablehttp: url might write sensitive information to log file
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/411992/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-6104:6.0:(AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1227025, 1227026, 1227027, 1227028, 1227029, 1227030, 1227031, 1227032, 1227033, 1227034, 1227035, 1227036, 1227037, 1227038, 1227039, 1227041, 1227042, 1227043, 1227044, 1227045, 1227046, 1227047, 1227048, 1227049, 1227050, 1227051, 1227052, 1227053, 1227054, 1227055, 1227056, 1227057, 1227058, 1227059, 1227060, 1227061, 1227062, 1227040    
Bug Blocks:    

Description SMASH SMASH 2024-06-26 09:09:47 UTC 
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-6104
https://www.cve.org/CVERecord?id=CVE-2024-6104
https://discuss.hashicorp.com/c/security
https://bugzilla.redhat.com/show_bug.cgi?id=2294000