CVE-2024-6104: 
Terraform Community vulnerability analysis and mitigation

The vulnerability (CVE-2024-6104) affects go-retryablehttp prior to version 0.7.7. The package did not sanitize URLs when writing them to its log file, which could lead to sensitive HTTP basic auth credentials being exposed in log files (NVD).

The vulnerability stems from a lack of input sanitization in go-retryablehttp's logging functionality. When URLs containing basic authentication credentials are processed, the package writes these URLs directly to log files without properly sanitizing the sensitive information. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N by NIST, and a score of 6.0 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N by HashiCorp (NVD).

The vulnerability could result in the exposure of sensitive authentication credentials through log files. When basic authentication is used in URLs processed by the package, these credentials could be written to log files in plaintext, potentially allowing unauthorized access to sensitive information (NVD).

The vulnerability has been fixed in go-retryablehttp version 0.7.7. Users are advised to upgrade to this version or later to address the security issue. The fix includes proper URL sanitization before writing to log files (NVD).