CVE-2024-6104

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-6104

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-6104.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-6104

Aliases

Downstream

AZL-42874

AZL-42877

AZL-42880

AZL-42886

AZL-42892

AZL-42898

AZL-42904

AZL-42910

AZL-42913

AZL-42916

AZL-42922

AZL-42928

AZL-42931

AZL-42936

AZL-42942

AZL-42943

CLEANSTART-2026-GG94489

DEBIAN-CVE-2024-6104

ECHO-b0f2-2138-6028

MGASA-2024-0343

MINI-7366-4j7w-cjwv

MINI-83r2-4xmp-xrfv

MINI-mjq4-2q9v-x2xx

MINI-rgh4-pcrr-5r6c

MINI-vqpj-g58c-8jw6

OESA-2025-1053

OESA-2025-1055

RHEA-2024:7866

RHSA-2024:3722

RHSA-2024:4853

RHSA-2024:4858

RHSA-2024:4963

RHSA-2024:5194

RHSA-2024:5258

RHSA-2024:5446

RHSA-2024:5634

RHSA-2024:6194

RHSA-2024:9098

RHSA-2024:9115

RLSA-2024:5258

SUSE-RU-2025:02091-1

SUSE-RU-2025:02092-1

SUSE-RU-2025:02093-1

SUSE-SU-2024:2273-1

SUSE-SU-2024:2273-2

SUSE-SU-2024:2286-1

SUSE-SU-2024:3062-1

SUSE-SU-2024:3266-1

SUSE-SU-2024:3267-1

SUSE-SU-2024:3288-1

SUSE-SU-2024:3546-1

SUSE-SU-2025:0420-1

SUSE-SU-2025:0458-1

SUSE-SU-2025:0579-1

SUSE-SU-2025:0775-1

SUSE-SU-2025:1036-1

SUSE-SU-2025:1037-1

SUSE-SU-2025:1038-1

SUSE-SU-2025:1332-1

SUSE-SU-2025:1333-1

SUSE-SU-2025:20013-1

SUSE-SU-2025:20080-1

SUSE-SU-2025:20143-1

SUSE-SU-2025:20179-1

SUSE-SU-2025:20198-1

SUSE-SU-2025:20363-1

SUSE-SU-2025:20869-1

UBUNTU-CVE-2024-6104

openSUSE-SU-2024:0226-1

openSUSE-SU-2024:0227-1

openSUSE-SU-2024:14092-1

openSUSE-SU-2024:14102-1

openSUSE-SU-2024:14105-1

openSUSE-SU-2024:14211-1

openSUSE-SU-2024:14257-1

openSUSE-SU-2024:14258-1

openSUSE-SU-2025:14663-1

openSUSE-SU-2025:14988-1

openSUSE-SU-2025:14990-1

openSUSE-SU-2025:15052-1

Related

Published

2024-06-24T17:06:21.150Z

Modified

2026-05-12T03:52:52.265296Z

Severity

6.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

go-retryablehttp can leak basic auth credentials to log files

Details

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

Database specific

{
    "cwe_ids": [
        "CWE-532"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/6xxx/CVE-2024-6104.json",
    "cna_assigner": "HashiCorp"
}

References

Affected packages

Git / github.com/hashicorp/go-retryablehttp

Affected ranges

Type: GIT
Repo: https://github.com/hashicorp/go-retryablehttp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1542b31176d3973a6ecbc06c05a2d0df89b59afb

Affected versions

v0.*

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.6.8

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-6104.json"