CVE-2024-6104
📋 TL;DR
CVE-2024-6104 is an information disclosure vulnerability in go-retryablehttp where URLs containing HTTP basic authentication credentials are written to log files without sanitization. This affects applications using go-retryablehttp versions prior to 0.7.7 that have logging enabled. Sensitive credentials could be exposed in log files accessible to unauthorized users.
💻 Affected Systems
- go-retryablehttp
📦 What is this software?
Retryablehttp by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
HTTP basic authentication credentials (usernames and passwords) are written to log files and subsequently accessed by attackers, leading to credential theft and potential account compromise.
Likely Case
Credentials are exposed in log files that may be accessible to system administrators, developers, or automated log processing systems, increasing the risk of accidental exposure or insider threats.
If Mitigated
If proper access controls are in place and logs are secured, the impact is limited to potential exposure within authorized personnel who should already have access to the credentials.
🎯 Exploit Status
Exploitation requires access to log files where the credentials are written. No special authentication is needed to read the logs if they are improperly secured.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.7.7
Vendor Advisory: https://discuss.hashicorp.com/c/security
Restart Required: Yes
Instructions:
1. Update go-retryablehttp to version 0.7.7 or later using your package manager (e.g., 'go get github.com/hashicorp/go-retryablehttp@v0.7.7'). 2. Rebuild and redeploy any applications using the library. 3. Restart services to ensure the updated library is loaded.
🔧 Temporary Workarounds
Disable go-retryablehttp logging
allPrevent credential exposure by disabling logging in go-retryablehttp configuration.
Configure your application to set the Logger field to nil or a no-op logger in retryablehttp.Client
Sanitize logs externally
allUse log processing tools to filter or redact sensitive information from log files.
Implement log filtering with tools like logrotate, syslog-ng, or custom scripts to remove URLs containing basic auth credentials
🧯 If You Can't Patch
- Implement strict access controls on log files (e.g., set permissions to read-only for authorized users only).
- Monitor log files for unauthorized access attempts and regularly audit log contents for credential exposure.
🔍 How to Verify
Check if Vulnerable:
Check the go.mod file or go list command for go-retryablehttp version: 'go list -m github.com/hashicorp/go-retryablehttp'. If version is below 0.7.7, the system is vulnerable.Check Version:
go list -m github.com/hashicorp/go-retryablehttpVerify Fix Applied:
After updating, verify the version is 0.7.7 or higher with 'go list -m github.com/hashicorp/go-retryablehttp'. Test that URLs with basic auth are no longer logged in plain text.📡 Detection & Monitoring
Log Indicators:
- Log entries containing URLs with 'http://username:password@' patterns in application logs.
Network Indicators:
- None specific to this vulnerability; focus on log monitoring.
SIEM Query:
source="application.logs" AND "http://*:*@*"