Bug 1227024 (CVE-2024-6104) - VUL-0: CVE-2024-6104: TRACKERBUG: hashicorp/go-retryablehttp: url might write sensitive information to log file
Summary: VUL-0: CVE-2024-6104: TRACKERBUG: hashicorp/go-retryablehttp: url might write...
Status: NEW
Alias: CVE-2024-6104
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/411992/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-6104:6.0:(AV:L...
Keywords:
Depends on: 1227025 1227026 1227027 1227028 1227029 1227030 1227031 1227032 1227033 1227034 1227035 1227036 1227037 1227038 1227039 1227041 1227042 1227043 1227044 1227045 1227046 1227047 1227048 1227049 1227050 1227051 1227052 1227053 1227054 1227055 1227056 1227057 1227058 1227059 1227060 1227061 1227062 1227040
Blocks:
  Show dependency treegraph
 
Reported: 2024-06-26 09:09 UTC by SMASH SMASH
Modified: 2024-06-26 09:19 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-06-26 09:09:47 UTC 
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-6104
https://www.cve.org/CVERecord?id=CVE-2024-6104
https://discuss.hashicorp.com/c/security
https://bugzilla.redhat.com/show_bug.cgi?id=2294000