blob: ad6fd36d321d4699b14470fcc049ec136449a608 [file] [log] [blame]
Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
Expected output of TestCVEToReport/CVE-2023-45286.
-- CVE-2023-45286 --
id: PLACEHOLDER-ID
modules:
- module: github.com/go-resty/resty/v2
vulnerable_at: 2.12.0
packages:
- package: github.com/go-resty/resty/v2
summary: CVE-2023-45286 in github.com/go-resty/resty/v2
description: |-
A race condition in go-resty can result in HTTP request body disclosure across
requests. This condition can be triggered by calling sync.Pool.Put with the same
*bytes.Buffer more than once, when request retries are enabled and a retry
occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't
had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP
request body from an unrelated request, and go-resty will append the current
HTTP request body to it, sending two bodies in one request. The sync.Pool in
question is defined at package level scope, so a completely unrelated server
could receive the request body.
references:
- report: https://github.com/go-resty/resty/issues/743
- report: https://github.com/go-resty/resty/issues/739
- fix: https://github.com/go-resty/resty/pull/745
- web: https://pkg.go.dev/vuln/GO-2023-2328
cve_metadata:
id: CVE-2023-45286
cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
source:
id: CVE-2023-45286