data/reports: update GO-2023-2328.yaml

Add missing GHSA. Aliases: CVE-2023-45286, GHSA-xwh9-gc39-5298 Updates #2328 Fixes #2357 Change-Id: Ie4b7593cc7bb3251d5919db76ddfe99a4fdeff15 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/547980 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
golang · Dec 11, 2023 · 497dfa0 · 497dfa0
1 parent a5751d1
commit 497dfa0
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/data/osv/GO-2023-2328.json b/data/osv/GO-2023-2328.json
@@ -4,7 +4,8 @@
   "modified": "0001-01-01T00:00:00Z",
   "published": "0001-01-01T00:00:00Z",
   "aliases": [
-    "CVE-2023-45286"
+    "CVE-2023-45286",
+    "GHSA-xwh9-gc39-5298"
   ],
   "summary": "HTTP request body disclosure in github.com/go-resty/resty/v2",
   "details": "A race condition in go-resty can result in HTTP request body disclosure across requests.\n\nThis condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request.\n\nThe sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.",

diff --git a/data/reports/GO-2023-2328.yaml b/data/reports/GO-2023-2328.yaml
@@ -33,6 +33,8 @@ description: |-
 
     The sync.Pool in question is defined at package level scope, so a completely
     unrelated server could receive the request body.
+ghsas:
+    - GHSA-xwh9-gc39-5298
 credits:
     - Logan Attwood (@lattwood)
 references: