| id: GO-2021-0052 |
| modules: |
| - module: github.com/gin-gonic/gin |
| versions: |
| - fixed: 1.7.7 |
| vulnerable_at: 1.7.6 |
| packages: |
| - package: github.com/gin-gonic/gin |
| symbols: |
| - Context.ClientIP |
| - Context.RemoteIP |
| derived_symbols: |
| - Context.Next |
| - Engine.HandleContext |
| - Engine.Run |
| - Engine.RunFd |
| - Engine.RunListener |
| - Engine.RunTLS |
| - Engine.RunUnix |
| - Engine.ServeHTTP |
| summary: Inconsistent interpretation of HTTP Requests in github.com/gin-gonic/gin |
| description: |- |
| Due to improper HTTP header sanitization, a malicious user can spoof their |
| source IP address by setting the X-Forwarded-For header. This may allow a user |
| to bypass IP based restrictions, or obfuscate their true source. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2020-28483 |
| ghsas: |
| - GHSA-h395-qcrw-5vmq |
| credits: |
| - '@sorenisanerd' |
| references: |
| - report: https://github.com/gin-gonic/gin/issues/2862 |
| - report: https://github.com/gin-gonic/gin/issues/2473 |
| - report: https://github.com/gin-gonic/gin/issues/2232 |
| - fix: https://github.com/gin-gonic/gin/pull/2844 |
| - fix: https://github.com/gin-gonic/gin/commit/5929d521715610c9dd14898ebbe1d188d5de8937 |
| - fix: https://github.com/gin-gonic/gin/pull/2632 |
| - fix: https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711 |
| - fix: https://github.com/gin-gonic/gin/pull/2675 |
| - fix: https://github.com/gin-gonic/gin/commit/03e5e05ae089bc989f1ca41841f05504d29e3fd9 |
| - web: https://github.com/gin-gonic/gin/pull/2474 |
| review_status: REVIEWED |