Information Exposure Through Log Files Affecting container-tools:rhel8/slirp4netns package, versions <0:1.2.3-1.module_el8.10.0+3876+e55593a8


Severity

Recommended
high

Based on AlmaLinux security rating.

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Information Exposure Through Log Files vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ALMALINUX8-CONTAINERTOOLS-7687005
  • published14 Aug 2024
  • disclosed12 Nov 2024

Introduced: 14 Aug 2024

CVE-2024-6104  (opens in a new tab)
CWE-532  (opens in a new tab)

How to fix?

Upgrade AlmaLinux:8 container-tools:rhel8/slirp4netns to version 0:1.2.3-1.module_el8.10.0+3876+e55593a8 or higher.
This issue was patched in ALSA-2024:5258.

NVD Description

Note: Versions mentioned in the description apply only to the upstream container-tools:rhel8/slirp4netns package and not the container-tools:rhel8/slirp4netns package as distributed by AlmaLinux. See How to fix? for AlmaLinux:8 relevant fixed versions and status.

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

CVSS Scores

version 3.1