CVE-2024-6104 - OpenCVE

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Hashicorp	Retryablehttp

Configuration 1 [-]

cpe:2.3:a:hashicorp:retryablehttp:*:*:*:*:*:go:*:*

References

Link	Resource
https://discuss.hashicorp.com/c/security	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: HashiCorp

Published: 2024-06-24T17:06:21.150Z

Updated: 2024-06-24T19:19:28.773Z

Reserved: 2024-06-17T22:19:58.680Z

Link: CVE-2024-6104

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-06-24T17:15:11.087

Modified: 2024-06-26T17:19:40.850

Link: CVE-2024-6104

JSON object: View

Redhat Information

No data.

CWE

CWE-532

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6104", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2024-06-17T22:19:58.680Z", "datePublished": "2024-06-24T17:06:21.150Z", "dateUpdated": "2024-06-24T19:19:28.773Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Shared library", "repo": "https://github.com/hashicorp/go-retryablehttp", "vendor": "HashiCorp", "versions": [{"lessThan": "0.7.7", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.</p><br/>"}], "value": "go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7."}], "impacts": [{"capecId": "CAPEC-118", "descriptions": [{"lang": "en", "value": "CAPEC-118: Collect and Analyze Information"}]}], "metrics": [{"cvssV3_1": {"baseScore": 6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2024-06-24T17:06:21.150Z"}, "references": [{"url": "https://discuss.hashicorp.com/c/security"}], "source": {"advisory": "HCSEC-2024-12", "discovery": "EXTERNAL"}, "title": "go-retryablehttp can leak basic auth credentials to log files"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-24T19:19:22.878144Z", "id": "CVE-2024-6104", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-24T19:19:28.773Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:retryablehttp:*:*:*:*:*:go:*:*", "matchCriteriaId": "0FCBD41E-84B7-4720-A6EA-9A617EEC3F30", "versionEndExcluding": "0.7.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7."}, {"lang": "es", "value": "go-retryablehttp anterior a 0.7.7 no sanitizaba las URL al escribirlas en su archivo de registro. Esto podr\u00eda llevar a que go-retryablehttp escriba credenciales de autenticaci\u00f3n b\u00e1sicas HTTP confidenciales en su archivo de registro. Esta vulnerabilidad, CVE-2024-6104, se solucion\u00f3 en go-retryablehttp 0.7.7."}], "id": "CVE-2024-6104", "lastModified": "2024-06-26T17:19:40.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.0, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2024-06-24T17:15:11.087", "references": [{"source": "security@hashicorp.com", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/c/security"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "security@hashicorp.com", "type": "Secondary"}]}