Bug 2252012 (CVE-2023-45286) - CVE-2023-45286 go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2
Summary: CVE-2023-45286 go-resty: HTTP request body disclosure in github.com/go-resty/...
Keywords:
Status: NEW
Alias: CVE-2023-45286
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2252013
Blocks: 2252014
TreeView+ depends on / blocked
 
Reported: 2023-11-29 01:55 UTC by Avinash Hanwate
Modified: 2024-01-26 19:32 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2023-11-29 01:55:40 UTC 
A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

https://github.com/go-resty/resty/issues/739
https://github.com/go-resty/resty/issues/743
https://github.com/go-resty/resty/pull/745
https://pkg.go.dev/vuln/GO-2023-2328
Note You need to log in before you can comment on or make changes to this bug.