All the vulnerabilites related to github.com/gin-gonic/gin - github.com/gin-gonic/gin
cve-2023-29401
Vulnerability from cvelistv5
Published
2023-06-08 20:27
Modified
2024-08-02 14:07
Severity ?
EPSS score ?
Summary
Improper handling of filenames in Content-Disposition HTTP header in github.com/gin-gonic/gin
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | github.com/gin-gonic/gin | github.com/gin-gonic/gin |
Version: 1.3.1-0.20190301021747-ccb9e902956d ≤ |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T14:07:45.567Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/gin-gonic/gin/issues/3555" }, { "tags": [ "x_transferred" ], "url": "https://github.com/gin-gonic/gin/pull/3556" }, { "tags": [ "x_transferred" ], "url": "https://github.com/gin-gonic/gin/releases/tag/v1.9.1" }, { "tags": [ "x_transferred" ], "url": "https://pkg.go.dev/vuln/GO-2023-1737" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "packageName": "github.com/gin-gonic/gin", "product": "github.com/gin-gonic/gin", "programRoutines": [ { "name": "Context.FileAttachment" } ], "vendor": "github.com/gin-gonic/gin", "versions": [ { "lessThan": "1.9.1", "status": "affected", "version": "1.3.1-0.20190301021747-ccb9e902956d", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "value": "motoyasu-saburi" } ], "descriptions": [ { "lang": "en", "value": "The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of \"setup.bat\u0026quot;;x=.txt\" will be sent as a file named \"setup.bat\". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header." } ], "problemTypes": [ { "descriptions": [ { "description": "CWE 20: Improper Input Validation", "lang": "en" } ] } ], "providerMetadata": { "dateUpdated": "2023-06-12T19:14:11.166Z", "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go" }, "references": [ { "url": "https://github.com/gin-gonic/gin/issues/3555" }, { "url": "https://github.com/gin-gonic/gin/pull/3556" }, { "url": "https://github.com/gin-gonic/gin/releases/tag/v1.9.1" }, { "url": "https://pkg.go.dev/vuln/GO-2023-1737" } ], "title": "Improper handling of filenames in Content-Disposition HTTP header in github.com/gin-gonic/gin" } }, "cveMetadata": { "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "assignerShortName": "Go", "cveId": "CVE-2023-29401", "datePublished": "2023-06-08T20:27:15.057Z", "dateReserved": "2023-04-05T19:36:35.042Z", "dateUpdated": "2024-08-02T14:07:45.567Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-36567
Vulnerability from cvelistv5
Published
2022-12-27 20:58
Modified
2024-08-04 17:30
Severity ?
EPSS score ?
Summary
Arbitrary log line injection in github.com/gin-gonic/gin
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | github.com/gin-gonic/gin | github.com/gin-gonic/gin |
Version: 0 ≤ |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T17:30:08.458Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/gin-gonic/gin/pull/2237" }, { "tags": [ "x_transferred" ], "url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d" }, { "tags": [ "x_transferred" ], "url": "https://pkg.go.dev/vuln/GO-2020-0001" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "packageName": "github.com/gin-gonic/gin", "product": "github.com/gin-gonic/gin", "programRoutines": [ { "name": "LoggerWithConfig" }, { "name": "Default" }, { "name": "Logger" }, { "name": "LoggerWithFormatter" }, { "name": "LoggerWithWriter" } ], "vendor": "github.com/gin-gonic/gin", "versions": [ { "lessThan": "1.6.0", "status": "affected", "version": "0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "value": "@thinkerou \u003cthinkerou@gmail.com\u003e" } ], "descriptions": [ { "lang": "en", "value": "Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines." } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-117 Improper Output Neutralization for Logs", "lang": "en" } ] } ], "providerMetadata": { "dateUpdated": "2023-06-06T18:28:26.763Z", "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go" }, "references": [ { "url": "https://github.com/gin-gonic/gin/pull/2237" }, { "url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d" }, { "url": "https://pkg.go.dev/vuln/GO-2020-0001" } ], "title": "Arbitrary log line injection in github.com/gin-gonic/gin" } }, "cveMetadata": { "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "assignerShortName": "Go", "cveId": "CVE-2020-36567", "datePublished": "2022-12-27T20:58:14.400Z", "dateReserved": "2022-07-29T19:10:22.854Z", "dateUpdated": "2024-08-04T17:30:08.458Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }