GET

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

GET /api/vulnerabilities/16720?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/16720?format=api",
    "vulnerability_id": "VCID-sajm-cnn5-jqac",
    "summary": "Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\nUsing cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.\n\nThe relevant code is [here](https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110) (also inline, emphasis added):\n\n<pre>if p.Client == nil {\n  p.Client = **http.DefaultClient**\n}\n\nif p.roundTripper != nil {\n  p.Client.**Transport = p.roundTripper**\n}\n</pre>\n\nWhen the transport is populated with an authenticated transport such as:\n- [oauth2.Transport](https://pkg.go.dev/golang.org/x/oauth2#Transport)\n- [idtoken.NewClient(...).Transport](https://pkg.go.dev/google.golang.org/api/idtoken#NewClient)\n\n... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to\n**any endpoint** it is used to contact!\n\nFound and patched by: @tcnghia and @mattmoor\n\n### Patches\nv.2.15.2",
    "aliases": [
        {
            "alias": "CVE-2024-28110"
        },
        {
            "alias": "GHSA-5pf6-2qwx-pxm2"
        }
    ],
    "fixed_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/56322?format=api",
            "purl": "pkg:golang/github.com/cloudevents/sdk-go/v2@2.15.2",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/github.com/cloudevents/sdk-go/v2@2.15.2"
        }
    ],
    "affected_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/93549?format=api",
            "purl": "pkg:rpm/redhat/openshift-pipelines-client@1.15.0-11496?arch=el8",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-aj2b-56uj-gkar"
                },
                {
                    "vulnerability": "VCID-bq1t-9nnj-mkes"
                },
                {
                    "vulnerability": "VCID-jwrn-5t32-3fbq"
                },
                {
                    "vulnerability": "VCID-q1ze-sun1-xkah"
                },
                {
                    "vulnerability": "VCID-sajm-cnn5-jqac"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/openshift-pipelines-client@1.15.0-11496%3Farch=el8"
        }
    ],
    "references": [
        {
            "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28110.json",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "6.5",
                    "scoring_system": "cvssv3",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
                }
            ],
            "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28110.json"
        },
        {
            "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28110",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "0.00137",
                    "scoring_system": "epss",
                    "scoring_elements": "0.33252",
                    "published_at": "2026-04-24T12:55:00Z"
                },
                {
                    "value": "0.00137",
                    "scoring_system": "epss",
                    "scoring_elements": "0.33539",
                    "published_at": "2026-04-02T12:55:00Z"
                },
                {
                    "value": "0.00137",
                    "scoring_system": "epss",
                    "scoring_elements": "0.33572",
                    "published_at": "2026-04-04T12:55:00Z"
                },
                {
                    "value": "0.00137",
                    "scoring_system": "epss",
                    "scoring_elements": "0.33412",
                    "published_at": "2026-04-07T12:55:00Z"
                },
                {
                    "value": "0.00137",
                    "scoring_system": "epss",
                    "scoring_elements": "0.33455",
                    "published_at": "2026-04-08T12:55:00Z"
                },
                {
                    "value": "0.00137",
                    "scoring_system": "epss",
                    "scoring_elements": "0.3349",
                    "published_at": "2026-04-09T12:55:00Z"
                },
                {
                    "value": "0.00137",
                    "scoring_system": "epss",
                    "scoring_elements": "0.33493",
                    "published_at": "2026-04-11T12:55:00Z"
                },
                {
                    "value": "0.00137",
                    "scoring_system": "epss",
                    "scoring_elements": "0.33452",
                    "published_at": "2026-04-12T12:55:00Z"
                },
                {
                    "value": "0.00137",
                    "scoring_system": "epss",
                    "scoring_elements": "0.33428",
                    "published_at": "2026-04-13T12:55:00Z"
                },
                {
                    "value": "0.00137",
                    "scoring_system": "epss",
                    "scoring_elements": "0.33464",
                    "published_at": "2026-04-16T12:55:00Z"
                },
                {
                    "value": "0.00137",
                    "scoring_system": "epss",
                    "scoring_elements": "0.33439",
                    "published_at": "2026-04-18T12:55:00Z"
                },
                {
                    "value": "0.00137",
                    "scoring_system": "epss",
                    "scoring_elements": "0.33408",
                    "published_at": "2026-04-21T12:55:00Z"
                }
            ],
            "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28110"
        },
        {
            "reference_url": "https://github.com/cloudevents/sdk-go",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "7.5",
                    "scoring_system": "cvssv3.1",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
                },
                {
                    "value": "HIGH",
                    "scoring_system": "generic_textual",
                    "scoring_elements": ""
                }
            ],
            "url": "https://github.com/cloudevents/sdk-go"
        },
        {
            "reference_url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "7.5",
                    "scoring_system": "cvssv3.1",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
                },
                {
                    "value": "HIGH",
                    "scoring_system": "generic_textual",
                    "scoring_elements": ""
                },
                {
                    "value": "Track",
                    "scoring_system": "ssvc",
                    "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-07T16:39:07Z/"
                }
            ],
            "url": "https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110"
        },
        {
            "reference_url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "7.5",
                    "scoring_system": "cvssv3.1",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
                },
                {
                    "value": "HIGH",
                    "scoring_system": "generic_textual",
                    "scoring_elements": ""
                },
                {
                    "value": "Track",
                    "scoring_system": "ssvc",
                    "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-07T16:39:07Z/"
                }
            ],
            "url": "https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851"
        },
        {
            "reference_url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "7.5",
                    "scoring_system": "cvssv3.1",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
                },
                {
                    "value": "HIGH",
                    "scoring_system": "generic_textual",
                    "scoring_elements": ""
                },
                {
                    "value": "Track",
                    "scoring_system": "ssvc",
                    "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-07T16:39:07Z/"
                }
            ],
            "url": "https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"
        },
        {
            "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268372",
            "reference_id": "2268372",
            "reference_type": "",
            "scores": [],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268372"
        },
        {
            "reference_url": "https://access.redhat.com/errata/RHSA-2024:0040",
            "reference_id": "RHSA-2024:0040",
            "reference_type": "",
            "scores": [],
            "url": "https://access.redhat.com/errata/RHSA-2024:0040"
        },
        {
            "reference_url": "https://access.redhat.com/errata/RHSA-2024:1333",
            "reference_id": "RHSA-2024:1333",
            "reference_type": "",
            "scores": [],
            "url": "https://access.redhat.com/errata/RHSA-2024:1333"
        }
    ],
    "weaknesses": [
        {
            "cwe_id": 522,
            "name": "Insufficiently Protected Credentials",
            "description": "The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval."
        }
    ],
    "exploits": [],
    "severity_range_score": "6.5 - 8.9",
    "exploitability": "0.5",
    "weighted_severity": "8.0",
    "risk_score": 4.0,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sajm-cnn5-jqac"
}