Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/gin-gonic/gin: GHSA-2c4m-59x9-fr2g #1777

Closed
GoVulnBot opened this issue May 12, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/gin-gonic/gin: GHSA-2c4m-59x9-fr2g #1777

GoVulnBot opened this issue May 12, 2023 · 1 comment
Assignees
@jba
Labels
duplicate

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-2c4m-59x9-fr2g, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/gin-gonic/gin >= 1.3.1-0.20190301021747-ccb9e902956d, <= 1.9.0

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/gin-gonic/gin
    versions:
      - introduced: TODO (earliest fixed "", vuln range ">= 1.3.1-0.20190301021747-ccb9e902956d,
            <= 1.9.0")
    packages:
      - package: github.com/gin-gonic/gin
summary: Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment
    function
description: |-
    The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat&quot;;x=.txt" will be sent as a file named "setup.bat".

    If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
cves:
  - CVE-2023-29401
ghsas:
  - GHSA-2c4m-59x9-fr2g
references:
  - report: https://github.com/gin-gonic/gin/issues/3555
  - fix: https://github.com/gin-gonic/gin/pull/3556
  - web: https://pkg.go.dev/vuln/GO-2023-1737
  - advisory: https://github.com/advisories/GHSA-2c4m-59x9-fr2g
@jba jba self-assigned this May 15, 2023
@jba jba added the duplicate label May 15, 2023
@jba
Copy link
Contributor

jba commented May 15, 2023

Duplicate of #1737

@jba jba marked this as a duplicate of #1737 May 15, 2023
@jba jba closed this as completed May 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jba jba

Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jba @GoVulnBot