Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.

Published: Jul 5, 2024
Updated: Jul 10, 2024
GHSA: GHSA-xr7q-jx4m-x55m
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
google.golang.org/grpc	1.64.0	1.64.1

https://github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb
https://github.com/grpc/grpc-go/security/advisories/GHSA-xr7q-jx4m-x55m

Vulnerability Database

289,571

Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go

Impact

Patches

Workarounds