Bug 2252012 (CVE-2023-45286) - CVE-2023-45286 go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2
Summary: CVE-2023-45286 go-resty: HTTP request body disclosure in github.com/go-resty/...
Keywords:
Status: NEW
Alias: CVE-2023-45286
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2252013
Blocks: 2252014
TreeView+ depends on / blocked
 
Reported: 2023-11-29 01:55 UTC by Avinash Hanwate
Modified: 2024-06-10 14:51 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:3316 0 None None None 2024-05-23 06:39:39 UTC
Red Hat Product Errata RHSA-2024:3621 0 None None None 2024-06-05 05:15:32 UTC

Description Avinash Hanwate 2023-11-29 01:55:40 UTC
A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

https://github.com/go-resty/resty/issues/739
https://github.com/go-resty/resty/issues/743
https://github.com/go-resty/resty/pull/745
https://pkg.go.dev/vuln/GO-2023-2328

Comment 2 errata-xmlrpc 2024-05-23 06:39:37 UTC
This issue has been addressed in the following products:

  MTA-7.0-RHEL-9
  MTA-7.0-RHEL-8

Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316

Comment 3 errata-xmlrpc 2024-06-05 05:15:31 UTC
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.2

Via RHSA-2024:3621 https://access.redhat.com/errata/RHSA-2024:3621


Note You need to log in before you can comment on or make changes to this bug.