Bug 2216957 (CVE-2023-29401) - CVE-2023-29401 golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function
Summary: CVE-2023-29401 golang-github-gin-gonic-gin: Gin Web Framework does not proper...
Keywords:
Status: NEW
Alias: CVE-2023-29401
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2216959 2216960 2216961
Blocks: 2214922
TreeView+ depends on / blocked
 
Reported: 2023-06-23 11:59 UTC by Avinash Hanwate
Modified: 2024-03-19 02:21 UTC (History)
62 users (show)

Fixed In Version: golang-github-gin-gonic-gin 1.9.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Gin-Gonic Gin Web Framework. Affected versions of this package could allow a remote attacker to bypass security restrictions caused by improper input validation by the filename parameter of the Context.FileAttachment function. An attacker can modify the Content-Disposition header by using a specially-crafted attachment file name.
Clone Of:
Environment:
Last Closed: 2023-07-27 06:18:14 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4293 0 None None None 2023-07-27 01:14:05 UTC
Red Hat Product Errata RHSA-2023:5006 0 None None None 2023-10-31 12:54:51 UTC

Description Avinash Hanwate 2023-06-23 11:59:54 UTC 
The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.

https://pkg.go.dev/vuln/GO-2023-1737
https://github.com/gin-gonic/gin/releases/tag/v1.9.1
https://github.com/gin-gonic/gin/issues/3555
https://github.com/gin-gonic/gin/pull/3556
Comment 1 Avinash Hanwate 2023-06-23 12:08:59 UTC 
Created golang-github-gin-gonic tracking bugs for this issue:

Affects: fedora-all [bug 2216959]
Comment 7 errata-xmlrpc 2023-07-27 01:14:03 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:4293 https://access.redhat.com/errata/RHSA-2023:4293
Comment 8 Product Security DevOps Team 2023-07-27 06:18:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 9 Product Security DevOps Team 2023-07-27 11:18:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 11 Product Security DevOps Team 2023-07-27 16:17:27 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 12 Product Security DevOps Team 2023-07-27 21:18:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 13 Product Security DevOps Team 2023-07-28 02:20:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 14 Product Security DevOps Team 2023-07-28 07:17:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 15 Product Security DevOps Team 2023-07-28 12:18:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 16 Product Security DevOps Team 2023-07-28 17:18:37 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 17 Product Security DevOps Team 2023-07-28 22:18:00 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 18 Product Security DevOps Team 2023-07-29 03:18:03 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 19 Product Security DevOps Team 2023-07-29 08:18:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 20 Product Security DevOps Team 2023-07-29 13:17:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 21 Product Security DevOps Team 2023-07-29 18:18:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 22 Product Security DevOps Team 2023-08-01 11:21:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29401
Comment 23 errata-xmlrpc 2023-10-31 12:54:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006
Note You need to log in before you can comment on or make changes to this bug.