Bulletin ID: HCSEC-2024-12
Affected Products / Versions: go-retryablehttp to 0.7.6, fixed in go-retryablehttp 0.7.7
Publication Date: June 21, 2024
Summary
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
Background
go-retryablehttp is a Go library that provides an HTTP client interface with automatic retries and exponential backoff.
Details
All versions of go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability was fixed in go-retryablehttp 0.7.7
Remediation
Maintainers of software using the go-retryablehttp package should evaluate the risk associated with this issue and consider upgrading to version 0.7.7
Acknowledgement
Hashicorp thanks Danny Hershko Shemesh (dany74q) from Wiz for identifying and developing the fix for this issue, and Dan Luhring from Chainguard for independently identifying this issue.