Skip to main content

CVE-2024-6104

CVE-2024-6104

go-retryablehttp can leak basic auth credentials to log files

This issue is tied to the use of remco in our Docker images using the vulnerable go-retryablehttp lib. As of current publication, the most current remco version is still using the vulnerable lib. Thus, we cannot resolve this issue by upgrading to the never remco version.

Vulnerability analysis:

This vulnerability exists in a very specific use case scenario as it relates to Rundeck and Process Automation.

Preconditions:

  • A customer is using Hashicorp Consul to create rundeck configurations

  • A customer is using HTTP basic auth credentials to connect to Consul

  • Logging of authentication API requests to Consul is enabled

What may happen

  • Unredacted basic auth credentials may get logged

Ex:

Unredacted URL: https://user:password@example.com Redacted URL: https://user:xxxxx@example.com

Recommendation

Given that a relatively unique setup is required (consul + basic auth) and there is no existing patch for remco at this time this will be listed as a Known Issue. The team will continue to monitor remco to check for patched versions.