Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
5.9
CVSSv3

CVE-2023-45286

Published: 28/11/2023 Updated: 04/01/2024
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 0

Vulnerability Summary

A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

Vulnerable Product Search on Vulmon Subscribe to Product

resty project resty

Vendor Advisories

Debian CVElist Bug Report Logs: golang-github-go-resty-resty: CVE-2023-45286
Debian Bug report logs - #1057226 golang-github-go-resty-resty: CVE-2023-45286 Package: src:golang-github-go-resty-resty; Maintainer for src:golang-github-go-resty-resty is Debian Go Packaging Team <team+pkg-go@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 1 Dec 2023 21:42:02 U ...
Red Hat:
DescriptionThe MITRE CVE dictionary describes this issue as: A race condition in go-resty can result in HTTP request body disclosure across requests This condition can be triggered by calling syncPoolPut with the same *bytesBuffer more than once, when request retries are enabled and a retry occurs The call to syncPoolGet will then return a b ...

References

CWE-362https://github.com/go-resty/resty/issues/743https://github.com/go-resty/resty/issues/739https://github.com/go-resty/resty/pull/745https://pkg.go.dev/vuln/GO-2023-2328https://github.com/go-resty/resty/commit/577fed8730d79f583eb48dfc81674164e1fc471ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057226https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2023-45286
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
TCPCVE-2024-4577CVE-2024-2695CVE-2024-31870injectionCVE-2024-3813arbitrary codeCVE-2024-27801CVE-2024-30120
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook