CVE-2024-6104
CVE-2024-6104
go-retryablehttp can leak basic auth credentials to log files
This issue is tied to the use of remco
in our Docker images using the vulnerable go-retryablehttp lib. As of current publication, the most current remco
version is still using the vulnerable lib. Thus, we cannot resolve this issue by upgrading to the never remco
version.
Vulnerability analysis:
This vulnerability exists in a very specific use case scenario as it relates to Rundeck and Process Automation.
Preconditions:
A customer is using Hashicorp Consul to create rundeck configurations
A customer is using HTTP basic auth credentials to connect to Consul
Logging of authentication API requests to Consul is enabled
What may happen
- Unredacted basic auth credentials may get logged
Ex:
Unredacted URL: https://user:password@example.com
Redacted URL: https://user:xxxxx@example.com
Recommendation
Given that a relatively unique setup is required (consul + basic auth) and there is no existing patch for remco at this time this will be listed as a Known Issue. The team will continue to monitor remco
to check for patched versions.