#VU84618 Input validation error in Gin - CVE-2023-26125

Cybersecurity Help s.r.o.

Published: 2023-12-20

Vulnerability identifier: #VU84618

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-26125

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Gin
Web applications / CMS

Vendor: Gin-Gonic

Description

The vulnerability allows a remote attacker to poison application's cache.

The vulnerability exists due to insufficient validation of user-supplied input when processing X-Forwarded-Prefix header. A remote attacker can pass send specially crafted request to the application and perform cache poisoning.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Gin: 0.1 - 1.8.2

External links
https://github.com/t0rchwo0d/gin/commit/fd9f98e70fb4107ee68c783482d231d35e60507b
https://github.com/gin-gonic/gin/pull/3500
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-3324285
https://github.com/gin-gonic/gin/pull/3503
https://github.com/gin-gonic/gin/releases/tag/v1.9.0

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.13

Splunk Enterprise update for third-party components

Multiple vulnerabilities in IBM Planning Analytics Local - IBM Planning Analytics Workspace

Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps

Multiple vulnerabilities in Migration Toolkit for Virtualization 2.5

Cache poisoning attack in Gin-Gonic Gin

Multiple vulnerabilities in Migration Toolkit for Containers 1.7