internal/cve5/testdata/cve/TestToReport/CVE-2023-45286.txtar

Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.

Expected output of TestToReport/CVE-2023-45286.

-- CVE-2023-45286_UNREVIEWED --
id: GO-ID-PENDING
modules:
    - module: github.com/go-resty/resty
      vulnerable_at: 1.12.0
    - module: github.com/go-resty/resty/v2
      versions:
        - introduced: 2.10.0
        - fixed: 2.11.0
      vulnerable_at: 2.10.0
summary: HTTP request body disclosure in github.com/go-resty/resty/v2
credits:
    - Logan Attwood (@lattwood)
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45286
    - fix: https://github.com/go-resty/resty/commit/577fed8730d79f583eb48dfc81674164e1fc471e
    - fix: https://github.com/go-resty/resty/pull/745
    - report: https://github.com/go-resty/resty/issues/739
    - report: https://github.com/go-resty/resty/issues/743
cve_metadata:
    id: CVE-2023-45286
    cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
notes:
    - lint: 'description: missing (reports with Go CVEs must have a description)'
source:
    id: CVE-2023-45286
    created: 1999-01-01T00:00:00Z
review_status: UNREVIEWED
-- CVE-2023-45286_REVIEWED --
id: GO-ID-PENDING
modules:
    - module: github.com/go-resty/resty/v2
      versions:
        - introduced: 2.10.0
        - fixed: 2.11.0
      vulnerable_at: 2.10.0
      packages:
        - package: github.com/go-resty/resty/v2
          symbols:
            - handleRequestBody
            - Backoff
            - Request.Delete
            - Request.Execute
            - Request.Get
            - Request.Head
            - Request.Options
            - Request.Patch
            - Request.Post
            - Request.Put
            - Request.Send
summary: HTTP request body disclosure in github.com/go-resty/resty/v2
description: |-
    A race condition in go-resty can result in HTTP request body disclosure across
    requests. This condition can be triggered by calling sync.Pool.Put with the same
    *bytes.Buffer more than once, when request retries are enabled and a retry
    occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't
    had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP
    request body from an unrelated request, and go-resty will append the current
    HTTP request body to it, sending two bodies in one request. The sync.Pool in
    question is defined at package level scope, so a completely unrelated server
    could receive the request body.
credits:
    - Logan Attwood (@lattwood)
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-45286
    - fix: https://github.com/go-resty/resty/commit/577fed8730d79f583eb48dfc81674164e1fc471e
    - fix: https://github.com/go-resty/resty/pull/745
    - report: https://github.com/go-resty/resty/issues/739
    - report: https://github.com/go-resty/resty/issues/743
cve_metadata:
    id: CVE-2023-45286
    cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
source:
    id: CVE-2023-45286
    created: 1999-01-01T00:00:00Z
review_status: REVIEWED