mikeee / gin-limits Goto Github PK

.github/workflows/go.yaml

• actions/checkout v4
• actions/setup-go v5
• codecov/codecov-action v4

go.mod

• go 1.19
• github.com/gin-gonic/gin v1.9.1
• github.com/stretchr/testify v1.9.0

Vulnerable Library - github.com/gin-gonic/gIn-v1.9.0

Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.9.0.zip

CVE-2023-29401

Vulnerable Library - github.com/gin-gonic/gIn-v1.9.0

Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.9.0.zip

Dependency Hierarchy:

• ❌ github.com/gin-gonic/gIn-v1.9.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Gin Web Framework the filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.

Publish Date: 2023-04-05

URL: CVE-2023-29401

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

Vulnerable Library - github.com/gin-GONIC/GIN-v1.9.1

Found in HEAD commit: 7df6446da5cb7099c6f3d042fa4be81eccf38efb

CVE-2023-39325

Vulnerable Library - golang.org/x/net-v0.10.0

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.10.0.zip

Dependency Hierarchy:

• github.com/gin-GONIC/GIN-v1.9.1 (Root Library)
  • ❌ golang.org/x/net-v0.10.0 (Vulnerable Library)

Found in HEAD commit: 7df6446da5cb7099c6f3d042fa4be81eccf38efb

Found in base branch: main

Vulnerability Details

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

Publish Date: 2023-10-11

URL: CVE-2023-39325

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2023-2102

Release Date: 2023-10-11

Fix Resolution: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0

Step up your Open Source Security Game with Mend here