vulnerability
Ubuntu: (CVE-2024-6104): golang-github-hashicorp-go-retryablehttp vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:L/AC:L/Au:M/C:C/I:N/A:N) | Jun 24, 2024 | Jun 26, 2025 | Aug 18, 2025 |
Severity
4
CVSS
(AV:L/AC:L/Au:M/C:C/I:N/A:N)
Published
Jun 24, 2024
Added
Jun 26, 2025
Modified
Aug 18, 2025
Description
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
Solution
no-fix-ubuntu-package
References
- CVE-2024-6104
- https://attackerkb.com/topics/CVE-2024-6104
- CWE-532
- URL-https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basic-auth-credentials-to-log-files/68027
- URL-https://github.com/hashicorp/go-retryablehttp/commit/a99f07beb3c5faaa0a283617e6eb6bcf25f5049a
- URL-https://github.com/hashicorp/go-retryablehttp/pull/158
- URL-https://www.cve.org/CVERecord?id=CVE-2024-6104
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.