Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gin-keycloakv1.4.0 uses github.com/gin-gonic/gin@v1.7.7 which has an open cve #18

Closed
yossich6 opened this issue Jul 26, 2023 · 2 comments
Closed

gin-keycloakv1.4.0 uses github.com/gin-gonic/gin@v1.7.7 which has an open cve #18

yossich6 opened this issue Jul 26, 2023 · 2 comments

Comments

@yossich6
Copy link
Contributor

gin-keycloakv1.4.0 uses github.com/gin-gonic/gin@v1.7.7 which has on open cve, see from github.com/gin-gonic/gin/CHANGELOG.md:

Gin v1.9.1

SECURITY

  • fix lack of escaping of filename in Content-Disposition #3556

Description: A vulnerability has been reported in Gin-Gonic Gin, which can be exploited by malicious people to compromise a vulnerable system. 1) An error when processing the "filename" parameter in the "FileAttachment()" function (context.go) can be exploited to set the Content-Disposition response header and subsequently download otherwise restricted files. The vulnerability is reported in versions prior to 1.9.1.

Need to update gin-keycloak to work with github.com/gin-gonic/gin@v1.9.1
@tbaehler
Copy link
Owner

Thanks for reporting, Updated to gin v1.9.1
Please update to v.1.5.0 of gin-keycloak

@yossich6
Copy link
Contributor Author

Hey, we pulled 1.5.0 and it still contains github.com/gin-gonic/gin@v1.7.7:
https://github.com/tbaehler/gin-keycloak/blob/master/go.mod - see line 4

@yossich6 yossich6 mentioned this issue Jul 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yossich6 @tbaehler