Bug 2252012 (CVE-2023-45286)

Summary: CVE-2023-45286 go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, bniver, flucifre, gmeno, mbenjamin, mhackett, mwringe, owatkins, rjohnson, sdawley, sostapov, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2252013    
Bug Blocks: 2252014    

Description Avinash Hanwate 2023-11-29 01:55:40 UTC
A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

https://github.com/go-resty/resty/issues/739
https://github.com/go-resty/resty/issues/743
https://github.com/go-resty/resty/pull/745
https://pkg.go.dev/vuln/GO-2023-2328

Comment 2 errata-xmlrpc 2024-05-23 06:39:37 UTC
This issue has been addressed in the following products:

  MTA-7.0-RHEL-9
  MTA-7.0-RHEL-8

Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316

Comment 3 errata-xmlrpc 2024-06-05 05:15:31 UTC
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.2

Via RHSA-2024:3621 https://access.redhat.com/errata/RHSA-2024:3621