Bug 2156683 (CVE-2020-36567)

Summary: CVE-2020-36567 gin: Unsanitized input in the default logger in github.com/gin-gonic/gin
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, dfreiber, dymurray, ellin, gparvin, ibolton, jburrell, jcantril, jmatthew, jmontleo, jwon, lball, lgamliel, matzew, mfilanov, nboldt, njean, owatkins, pahickey, periklis, rfreiman, rgarg, rhuss, rogbas, rrajasek, scorneli, sfowler, shbose, slucidi, sseago, stcannon, teagle, ubhargav, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gin 1.6.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-23 11:46:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2158237, 2158238, 2158239, 2158255, 2158256, 2158257, 2158258    
Bug Blocks: 2156687    

Description Avinash Hanwate 2022-12-28 07:02:49 UTC 
Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines.

https://pkg.go.dev/vuln/GO-2020-0001
https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
https://github.com/gin-gonic/gin/pull/2237
Comment 3 Anten Skrabec 2023-01-04 19:39:09 UTC 
Created golang-github-gin-gonic tracking bugs for this issue:

Affects: fedora-all [bug 2158255]


Created golang-github-pact-foundation tracking bugs for this issue:

Affects: fedora-all [bug 2158256]


Created golang-github-tonistiigi-opentelemetry-contrib tracking bugs for this issue:

Affects: fedora-all [bug 2158257]


Created golang-opentelemetry-contrib tracking bugs for this issue:

Affects: fedora-all [bug 2158258]
Comment 7 errata-xmlrpc 2023-02-28 00:50:52 UTC 
This issue has been addressed in the following products:

  MTA-6.0-RHEL-8

Via RHSA-2023:0934 https://access.redhat.com/errata/RHSA-2023:0934
Comment 8 errata-xmlrpc 2023-03-23 02:16:24 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:1428 https://access.redhat.com/errata/RHSA-2023:1428
Comment 9 Product Security DevOps Team 2023-03-23 11:46:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36567