2156683 – (CVE-2020-36567) CVE-2020-36567 gin: Unsanitized input in the default logger in github.com/gin-gonic/gin

Bug 2156683 (CVE-2020-36567) - CVE-2020-36567 gin: Unsanitized input in the default logger in github.com/gin-gonic/gin

Summary: CVE-2020-36567 gin: Unsanitized input in the default logger in github.com/gin...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-36567
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2158237 2158238 2158239 2158255 2158256 2158257 2158258
Blocks:	2156687
TreeView+	depends on / blocked

Reported:	2022-12-28 07:02 UTC by Avinash Hanwate
Modified:	2023-03-23 11:46 UTC (History)
CC List:	34 users (show)
Fixed In Version:	gin 1.6.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.
Clone Of:
Environment:
Last Closed:	2023-03-23 11:46:28 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:0934	0	None	None	None	2023-02-28 00:50:54 UTC
Red Hat Product Errata	RHSA-2023:1428	0	None	None	None	2023-03-23 02:16:27 UTC

Description Avinash Hanwate 2022-12-28 07:02:49 UTC

Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines.

https://pkg.go.dev/vuln/GO-2020-0001
https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
https://github.com/gin-gonic/gin/pull/2237

Comment 3 Anten Skrabec 2023-01-04 19:39:09 UTC

Created golang-github-gin-gonic tracking bugs for this issue:

Affects: fedora-all [bug 2158255]


Created golang-github-pact-foundation tracking bugs for this issue:

Affects: fedora-all [bug 2158256]


Created golang-github-tonistiigi-opentelemetry-contrib tracking bugs for this issue:

Affects: fedora-all [bug 2158257]


Created golang-opentelemetry-contrib tracking bugs for this issue:

Affects: fedora-all [bug 2158258]

Comment 7 errata-xmlrpc 2023-02-28 00:50:52 UTC

This issue has been addressed in the following products:

  MTA-6.0-RHEL-8

Via RHSA-2023:0934 https://access.redhat.com/errata/RHSA-2023:0934

Comment 8 errata-xmlrpc 2023-03-23 02:16:24 UTC

This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:1428 https://access.redhat.com/errata/RHSA-2023:1428

Comment 9 Product Security DevOps Team 2023-03-23 11:46:25 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36567

Note You need to log in before you can comment on or make changes to this bug.

bdettelb
dfreiber
dymurray
ellin
gparvin
ibolton
jburrell
jcantril
jmatthew
jmontleo
jwon
lball
lgamliel
matzew
mfilanov
nboldt
njean
owatkins
pahickey
periklis
rfreiman
rgarg
rhuss
rogbas
rrajasek
scorneli
sfowler
shbose
slucidi
sseago
stcannon
teagle
ubhargav
vkumar