CVE-2024-6104
CVE-2024-6104
go-retryablehttp can leak basic auth credentials to log files
This issue is tied to the use of remco
in our Docker images using the vulnerable go-retryablehttp lib. As of current publication, the most current remco
version is still using the vulnerable lib. Thus, we cannot resolve this issue by upgrading to the never remco
version.
Vulnerability analysis:
This vulnerability exists in a very specific use case scenario as it relates to Rundeck and Process Automation.
Preconditions:
A customer is using Hashicorp Consul to create rundeck configurations
A customer is using HTTP basic auth credentials to connect to Consul
Logging of authentication API requests to Consul is enabled
What may happen
- Unredacted basic auth credentials may get logged
Ex:
Unredacted URL: https://user:password@example.com
Redacted URL: https://user:xxxxx@example.com
Recommendation
Upgrade to version 5.11.0.
This vulnerability was fixed with Remco version 0.12.5 which is included as part of the 5.11.0 release.