Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv3

CVE-2023-29401

Published: 08/06/2023 Updated: 16/06/2023
CVSS v3 Base Score: 4.3 | Impact Score: 1.4 | Exploitability Score: 2.8
VMScore: 0
Subscribe to Gin

Vulnerability Summary

The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an malicious user to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

gin-gonic gin

Vendor Advisories

Red Hat: Moderate: Migration Toolkit for Containers (MTC) 1.7.11 security and bug fix update
Synopsis Moderate: Migration Toolkit for Containers (MTC) 1711 security and bug fix update Type/Severity Security Advisory: Moderate Topic The Migration Toolkit for Containers (MTC) 1711 is now availableRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) bas ...
Debian CVElist Bug Report Logs: golang-github-gin-gonic-gin: CVE-2023-29401
Debian Bug report logs - #1037530 golang-github-gin-gonic-gin: CVE-2023-29401 Package: src:golang-github-gin-gonic-gin; Maintainer for src:golang-github-gin-gonic-gin is Debian Go Packaging Team <team+pkg-go@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 13 Jun 2023 20:39:01 UTC ...
Red Hat:
Description<!---->A flaw was found in the Gin-Gonic Gin Web Framework Affected versions of this package could allow a remote attacker to bypass security restrictions caused by improper input validation by the filename parameter of the ContextFileAttachment function An attacker can modify the Content-Disposition header by using a specially-crafte ...

References

CWE-494https://pkg.go.dev/vuln/GO-2023-1737https://github.com/gin-gonic/gin/releases/tag/v1.9.1https://github.com/gin-gonic/gin/issues/3555https://github.com/gin-gonic/gin/pull/3556https://access.redhat.com/errata/RHSA-2023:4293https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2023-29401
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-48700CVE-2022-48689CVE-2024-27956CVE-2023-6363SQLNULL pointer dereferenceCVE-2023-41830CVE-2015-2051arbitrary
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook