CVE-2024-6104: go-retryablehttp can leak basic auth credentials to log files
First published: Mon Jun 24 2024(Updated: )
go-retryablehttp could allow a local authenticated attacker to obtain sensitive information, caused by the failure to sanitize urls when writing them to its log file. An attacker could exploit this vulnerability to write sensitive HTTP basic auth credentials to its log file.
Credit: security@hashicorp.com security@hashicorp.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/hashicorp/go-retryablehttp | <0.7.7 | 0.7.7 |
| redhat/go-retryablehttp | <0.7.7 | 0.7.7 |
| IBM Rational Team Concert | <=1.0.0, 1.0.1, 1.0.2, 1.0.2.1, 1.0.3 | |
| HashiCorp Retryablehttp | <0.7.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2024-6104
- https://github.com/hashicorp/go-retryablehttp/commit/a99f07beb3c5faaa0a283617e6eb6bcf25f5049a
- https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basic-auth-credentials-to-log-files/68027
- https://github.com/advisories/GHSA-v6v8-xj6m-xwqh (Advisory)
- https://discuss.hashicorp.com/c/security
- https://www.ibm.com/support/pages/node/7180303 (Advisory)
- https://access.redhat.com/security/cve/CVE-2024-6104
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294002
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294003
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294004
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294005
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294006
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294007
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294008
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294009
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294010
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294011
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294012
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294013
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2294014
- https://access.redhat.com/errata/RHSA-2024:4316
- https://access.redhat.com/errata/RHSA-2024:4321
- https://access.redhat.com/errata/RHSA-2024:4479
- https://access.redhat.com/errata/RHSA-2024:4613
- https://access.redhat.com/errata/RHSA-2024:4699
- https://access.redhat.com/errata/RHSA-2024:4872
- https://access.redhat.com/errata/RHSA-2024:4853
- https://access.redhat.com/errata/RHSA-2024:4858
- https://access.redhat.com/errata/RHSA-2024:4846
- https://access.redhat.com/errata/RHSA-2024:4848
- https://access.redhat.com/errata/RHSA-2024:4965
- https://access.redhat.com/errata/RHSA-2024:4960
- https://access.redhat.com/errata/RHSA-2024:4963
- https://access.redhat.com/errata/RHSA-2024:5194
- https://access.redhat.com/errata/RHSA-2024:5258
- https://access.redhat.com/errata/RHSA-2024:5107
- https://access.redhat.com/errata/RHSA-2024:5160
- https://access.redhat.com/errata/RHSA-2024:5199
- https://access.redhat.com/errata/RHSA-2024:5200
- https://access.redhat.com/errata/RHSA-2024:5547
- https://access.redhat.com/errata/RHSA-2024:5634
- https://access.redhat.com/errata/RHSA-2024:5433
- https://access.redhat.com/errata/RHSA-2024:5444
- https://access.redhat.com/errata/RHSA-2024:5446
- https://access.redhat.com/errata/RHSA-2024:5808
- https://access.redhat.com/errata/RHSA-2024:6054
- https://access.redhat.com/errata/RHSA-2024:6004
- https://access.redhat.com/errata/RHSA-2024:6194
- https://access.redhat.com/errata/RHSA-2024:6009
- https://access.redhat.com/errata/RHSA-2024:6409
- https://access.redhat.com/errata/RHSA-2024:6406
- https://access.redhat.com/errata/RHSA-2024:6738
- https://access.redhat.com/errata/RHSA-2024:6642
- https://access.redhat.com/errata/RHSA-2024:6755
- https://access.redhat.com/errata/RHSA-2024:6811
- https://access.redhat.com/errata/RHSA-2024:3722
- https://access.redhat.com/errata/RHSA-2024:7184
- https://access.redhat.com/errata/RHSA-2024:7624
- https://access.redhat.com/errata/RHSA-2024:7744
- https://access.redhat.com/errata/RHSA-2024:8040
- https://access.redhat.com/errata/RHSA-2024:9098
- https://access.redhat.com/errata/RHSA-2024:9115
- https://access.redhat.com/errata/RHSA-2024:10518
- https://access.redhat.com/errata/RHSA-2024:10823
- https://access.redhat.com/errata/RHSA-2024:11562
- https://access.redhat.com/errata/RHSA-2025:0029
- https://access.redhat.com/errata/RHSA-2025:1116
- https://access.redhat.com/errata/RHSA-2024:6122
- https://access.redhat.com/errata/RHSA-2025:1829
- https://access.redhat.com/errata/RHSA-2025:1865
- https://access.redhat.com/errata/RHSA-2025:1866
- https://bugzilla.redhat.com/show_bug.cgi?id=2294000
Frequently Asked Questions
What is the severity of CVE-2024-6104?
CVE-2024-6104 has a medium severity, as it can lead to the exposure of sensitive information.
How do I fix CVE-2024-6104?
To fix CVE-2024-6104, upgrade to the version 0.7.7 or later of the go-retryablehttp library.
What type of attacker can exploit CVE-2024-6104?
CVE-2024-6104 can be exploited by a local authenticated attacker with access to the log files.
What information could be exposed due to CVE-2024-6104?
CVE-2024-6104 could expose sensitive HTTP basic authentication credentials written to the log file.
Which applications are affected by CVE-2024-6104?
CVE-2024-6104 affects Hashicorp Retryablehttp library versions up to 0.7.7 and related packages.
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-v6v8-xj6m-xwqh
- alias/CVE-2024-6104
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/github-advisory
- agent/severity
- agent/epss
- collector/epss-latest
- source/FIRST
- agent/trending
- agent/description
- agent/source
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- agent/softwarecombine
- agent/last-modified-date
- agent/references
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- package-manager/go
- vendor/ibm
- canonical/ibm rational team concert
- version/ibm rational team concert/1.0.0, 1.0.1, 1.0.2, 1.0.2.1, 1.0.3
- vendor/hashicorp
- canonical/hashicorp retryablehttp
- package-manager/redhat