Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/gin-gonic/gin: GHSA-2c4m-59x9-fr2g #1777

Closed
GoVulnBot opened this issue May 12, 2023 · 1 comment
Closed
Assignees

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-2c4m-59x9-fr2g, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/gin-gonic/gin >= 1.3.1-0.20190301021747-ccb9e902956d, <= 1.9.0

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/gin-gonic/gin
    versions:
      - introduced: TODO (earliest fixed "", vuln range ">= 1.3.1-0.20190301021747-ccb9e902956d,
            <= 1.9.0")
    packages:
      - package: github.com/gin-gonic/gin
summary: Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment
    function
description: |-
    The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat&quot;;x=.txt" will be sent as a file named "setup.bat".

    If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
cves:
  - CVE-2023-29401
ghsas:
  - GHSA-2c4m-59x9-fr2g
references:
  - report: https://github.com/gin-gonic/gin/issues/3555
  - fix: https://github.com/gin-gonic/gin/pull/3556
  - web: https://pkg.go.dev/vuln/GO-2023-1737
  - advisory: https://github.com/advisories/GHSA-2c4m-59x9-fr2g

@jba jba self-assigned this May 15, 2023
@jba jba added the duplicate label May 15, 2023
@jba
Copy link
Contributor

jba commented May 15, 2023

Duplicate of #1737

@jba jba marked this as a duplicate of #1737 May 15, 2023
@jba jba closed this as completed May 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants