AZL-35761

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-35761.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-35761

Upstream

CVE-2024-28110

Published

2024-03-06T22:15:57Z

Modified

2026-04-01T05:12:13.815097Z

Summary

CVE-2024-28110 affecting package telegraf for versions less than 1.28.5-5

Details

Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-28110

Affected packages

Azure Linux:2 / telegraf

Package

Name: telegraf
Purl: pkg:rpm/azure-linux/telegraf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.28.5-5

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-35761.json"