Timeline
- Jun 21, 2024 CVE Published
**Bulletin ID:** HCSEC-2024-12 **Affected Products / Versions:** go-retryablehttp to 0.7.6, fixed in go-retryablehttp 0.7.7 **Publication Date:** June 21, 2024 **Summary** go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. **Background** [go-retryablehttp](https://github.com/hashicorp/go-retryablehttp) is a Go library that provides an HTTP client interface with automatic retries and exponential backoff. **Details** All versions of go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability was fixed in go-retryablehttp 0.7.7 **Remediation** Maintainers of software using the go-retryablehttp package should evaluate the risk associated with this issue and consider upgrading to version 0.7.7 **Acknowledgement** Hashicorp thanks Danny Hershko Shemesh (dany74q) from Wiz for identifying and developing the fix for this issue, and Dan Luhring from Chainguard for independently identifying this issue.