Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/gin-gonic/gin: CVE-2023-29401 #1737

Closed
motoyasu-saburi opened this issue Apr 25, 2023 · 6 comments
Closed

x/vulndb: potential Go vuln in github.com/gin-gonic/gin: CVE-2023-29401 #1737

motoyasu-saburi opened this issue Apr 25, 2023 · 6 comments
Assignees
@zpavlinovic
Labels
Direct External Report

Comments

@motoyasu-saburi
Copy link

Description

Gin is a web framework written in Go.
Gin prior to version v1.9.0 and below is vulnerable to Reflect File Download.
This problem occurs when FileAttachment() is used.
A PullRequest to correct this problem has been provided but has not yet been fixed.

Affected Modules, Packages, Versions and Symbols

Module: github.com/gin-gonic/gin
Package: github.com/gin-gonic/gin
Versions:
  - Introduced: 1.9.0
Symbols:
  - FileAttachment

Does this vulnerability already have an associated CVE ID?

No

CVE ID

No response

Credit

No response

CWE ID

No response

Pull Request

gin-gonic/gin#3556

Commit

No response

References

Report:
gin-gonic/gin#3555

Additional information

No response
@zpavlinovic zpavlinovic self-assigned this Apr 25, 2023
@tatianab tatianab changed the title x/vulndb: potential Go vuln in github.com/gin-gonic/gin x/vulndb: potential Go vuln in github.com/gin-gonic/gin: CVE-2023-29401 May 10, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/494315 mentions this issue: data/reports: add GO-2023-1737.yaml

gopherbot pushed a commit that referenced this issue May 11, 2023
@zpavlinovic
data/reports: add GO-2023-1737.yaml
564a77a 
Aliases: CVE-2023-29401

Updates #1737

Change-Id: Iaf02c0a5966e96a2515b0c31b8739bc4a80131ce
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/494315
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
@zpavlinovic
Copy link
Contributor

zpavlinovic commented May 11, 2023
edited

@motoyasu-saburi Would you mind notifying us here if and when the fix becomes available?

@zpavlinovic
Copy link
Contributor

The Go Vulnerability Database has designated this GO-2023-1737 (https://pkg.go.dev/vuln/GO-2023-1737) and CVE-2023-29401. To add a fixed version or otherwise update this report, you can reopen and comment on #1737.

@zpavlinovic zpavlinovic mentioned this issue May 11, 2023
Closed
@motoyasu-saburi
Copy link
Author

@zpavlinovic Okay, Thank you for your support.

@GoVulnBot GoVulnBot mentioned this issue May 12, 2023
Closed
@herrberk
Copy link

herrberk commented Jun 1, 2023

@zpavlinovic a fix for this vulnerability is now available via v1.9.1. Special thanks to @motoyasu-saburi @thinkerou

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/499895 mentions this issue: data/reports: update GO-2023-1737.yaml

gopherbot pushed a commit that referenced this issue Jun 1, 2023
@tatianab
data/reports: update GO-2023-1737.yaml
42c71d8 
Add fixed version.

Updates #1737
Fixes #1810

Change-Id: I0e4f5224c2dfe2bac98a389c25ac526cfd06d36f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/499895
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zpavlinovic zpavlinovic

Labels
Direct External Report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zpavlinovic @herrberk @gopherbot @motoyasu-saburi