CVE-2024-28110

Name of the Vulnerable Software and Affected Versions Go SDK for CloudEvents versions prior to 2.15.2

Description The issue is related to the cloudevents.WithRoundTripper function in the Go SDK for CloudEvents, which causes the SDK to leak credentials to arbitrary endpoints when used with an authenticated http.RoundTripper. This happens because the http.DefaultClient is modified with the authenticated transport, resulting in the sending of Authorization tokens to any endpoint it contacts. The estimated number of potentially affected devices worldwide is not available.

Recommendations For versions prior to 2.15.2, update to version 2.15.2 to patch the issue. As a temporary workaround, consider avoiding the use of cloudevents.WithRoundTripper with an authenticated http.RoundTripper until the update is applied. Restrict access to the http.DefaultClient to minimize the risk of exploitation. Avoid using the Transport field in the http.DefaultClient until the issue is resolved.