Bug 1227039 - VUL-0: CVE-2024-6104: grafana: hashicorp/go-retryablehttp: url might write sensitive information to log file
Summary: VUL-0: CVE-2024-6104: grafana: hashicorp/go-retryablehttp: url might write se...
Status: IN_PROGRESS
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: monitoring-devel
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/411992/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2024-6104
  Show dependency treegraph
 
Reported: 2024-06-26 09:14 UTC by Carlos López
Modified: 2024-06-28 13:47 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2024-06-26 09:14:48 UTC 
grafana embeds hashicorp/go-retryablehttp:

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-6104
https://www.cve.org/CVERecord?id=CVE-2024-6104
https://discuss.hashicorp.com/c/security
https://bugzilla.redhat.com/show_bug.cgi?id=2294000
Comment 1 Witek Bedyk 2024-06-28 13:47:24 UTC 
In the `main` branch of Grafana project the dependency for OpenFGA was added which uses the vulnerable library. OpenFGA project has already bumped go-retryablehttp to the fixed version 0.7.7 but has not released it yet.

None of our packaged versions of Grafana are affected.

After new version of OpenFGA version is released we need to make sure the fixed version is used by Grafana.

No actions needed for now. Watching OpenFGA for the new release.