Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/gin-gonic/gin: CVE-2023-26125 #1755

Closed
GoVulnBot opened this issue May 4, 2023 · 4 comments
Closed

x/vulndb: potential Go vuln in github.com/gin-gonic/gin: CVE-2023-26125 #1755

GoVulnBot opened this issue May 4, 2023 · 4 comments
Assignees
@neild
Labels
excluded: NOT_A_VULNERABILITY This is not a vulnerability.

Comments

@GoVulnBot
Copy link

CVE-2023-26125 references github.com/gin-gonic/gin, which may be a Go module.

Description:
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.

Note: Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/gin-gonic/gin
    packages:
      - package: github.com/gin-gonic/gin
description: "Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable
    to Improper Input Validation by allowing an attacker to use a specially crafted
    request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.\r\r**Note:**
    Although this issue does not pose a significant threat on its own it can serve
    as an input vector for other more impactful vulnerabilities. However, successful
    exploitation may depend on the server configuration and whether the header is
    used in the application logic.\n"
cves:
  - CVE-2023-26125
references:
  - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-3324285
  - fix: https://github.com/t0rchwo0d/gin/commit/fd9f98e70fb4107ee68c783482d231d35e60507b
  - fix: https://github.com/gin-gonic/gin/pull/3500
  - fix: https://github.com/gin-gonic/gin/pull/3503
  - web: https://github.com/gin-gonic/gin/releases/tag/v1.9.0
@jba jba self-assigned this May 10, 2023
@jba jba removed their assignment May 10, 2023
@jba
Copy link
Contributor

jba commented May 10, 2023

The NIST page says "This vulnerability is currently undergoing analysis and not all information is available. Please check back soon to view the completed vulnerability summary." So not filing a report now.

@saargon
Copy link

saargon commented May 28, 2023
edited
Loading

@jba Looks like the advisory has since been updated, can it be added?

Thanks! :)

@neild neild self-assigned this Jun 13, 2023
@neild
Copy link
Contributor

neild commented Jun 13, 2023

I'm not seeing the vulnerability here. The report says that this can lead to cache poisoning, but I don't see the path to that outcome. Perhaps I'm missing something.

My inclination is to mark this NOT_A_VULNERABILITY.

@neild neild added excluded: NOT_A_VULNERABILITY This is not a vulnerability. and removed NeedsReport labels Jul 10, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/509516 mentions this issue: data/excluded: batch add 6 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
excluded: NOT_A_VULNERABILITY This is not a vulnerability.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@neild @gopherbot @jba @GoVulnBot @saargon