Skip to content

Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go

Low severity GitHub Reviewed Published Jul 3, 2024 in grpc/grpc-go • Updated Jul 9, 2024

Package

gomod google.golang.org/grpc (Go)

Affected versions

>= 1.64.0, < 1.64.1

Patched versions

1.64.1

Description

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

References

@dfawley dfawley published to grpc/grpc-go Jul 3, 2024
Published to the GitHub Advisory Database Jul 5, 2024
Reviewed Jul 5, 2024
Last updated Jul 9, 2024

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-xr7q-jx4m-x55m

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.