Bug 1227039

Summary: VUL-0: CVE-2024-6104: grafana: hashicorp/go-retryablehttp: url might write sensitive information to log file
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: monitoring-devel <monitoring-devel>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: marius.kittler, monitoring-devel, witold.bedyk
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/411992/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1227024    

Description Carlos López 2024-06-26 09:14:48 UTC 
grafana embeds hashicorp/go-retryablehttp:

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-6104
https://www.cve.org/CVERecord?id=CVE-2024-6104
https://discuss.hashicorp.com/c/security
https://bugzilla.redhat.com/show_bug.cgi?id=2294000
Comment 1 Witek Bedyk 2024-06-28 13:47:24 UTC 
In the `main` branch of Grafana project the dependency for OpenFGA was added which uses the vulnerable library. OpenFGA project has already bumped go-retryablehttp to the fixed version 0.7.7 but has not released it yet.

None of our packaged versions of Grafana are affected.

After new version of OpenFGA version is released we need to make sure the fixed version is used by Grafana.

No actions needed for now. Watching OpenFGA for the new release.