| id: GO-2023-1737 |
| modules: |
| - module: github.com/gin-gonic/gin |
| versions: |
| - introduced: 1.3.1-0.20190301021747-ccb9e902956d |
| - fixed: 1.9.1 |
| vulnerable_at: 1.9.0 |
| packages: |
| - package: github.com/gin-gonic/gin |
| symbols: |
| - Context.FileAttachment |
| summary: |- |
| Improper handling of filenames in Content-Disposition HTTP header in |
| github.com/gin-gonic/gin |
| description: |- |
| The filename parameter of the Context.FileAttachment function is not properly |
| sanitized. A maliciously crafted filename can cause the Content-Disposition |
| header to be sent with an unexpected filename value or otherwise modify the |
| Content-Disposition header. For example, a filename of "setup.bat";x=.txt" |
| will be sent as a file named "setup.bat". |
| |
| If the FileAttachment function is called with names provided by an untrusted |
| source, this may permit an attacker to cause a file to be served with a name |
| different than provided. Maliciously crafted attachment file name can modify the |
| Content-Disposition header. |
| ghsas: |
| - GHSA-2c4m-59x9-fr2g |
| credits: |
| - motoyasu-saburi |
| references: |
| - report: https://github.com/gin-gonic/gin/issues/3555 |
| - fix: https://github.com/gin-gonic/gin/pull/3556 |
| - web: https://github.com/gin-gonic/gin/releases/tag/v1.9.1 |
| cve_metadata: |
| id: CVE-2023-29401 |
| cwe: 'CWE 20: Improper Input Validation' |
| review_status: REVIEWED |