go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
2024-06-24T17:15:11.087
2024-11-21T09:48:58.263
Modified
CVSSv3.1: 6.0 (MEDIUM)
Type | Vendor | Product | Version/Range | Vulnerable? |
---|---|---|---|---|
Application | hashicorp | retryablehttp | < 0.7.7 | Yes |