| id: GO-2024-2730 |
| modules: |
| - module: github.com/gorilla/sessions |
| vulnerable_at: 1.2.2 |
| packages: |
| - package: github.com/gorilla/sessions |
| symbols: |
| - FilesystemStore.save |
| - FilesystemStore.load |
| - FilesystemStore.erase |
| derived_symbols: |
| - CookieStore.Get |
| - FilesystemStore.Get |
| - FilesystemStore.New |
| - FilesystemStore.Save |
| - Registry.Get |
| - Registry.Save |
| - Save |
| - Session.Save |
| summary: 'WITHDRAWN: Directory traversal in FilesystemStore in github.com/gorilla/sessions' |
| description: |- |
| (This report has been withdrawn on the grounds that it |
| generates too many false positives. Session IDs are |
| documented as not being suitable to hold user-provided |
| data.) |
| |
| FilesystemStore does not sanitize the Session.ID value, |
| making it vulnerable to directory traversal attacks. |
| If an attacker has control over the contents of the session ID, |
| this can be exploited to write to arbitrary files in the |
| filesystem. |
| |
| Programs which do not set session IDs explicitly, |
| or which only set session IDs that will not be |
| interpreted by the filesystem, are not vulnerable. |
| withdrawn: 2024-04-17T11:06:23-07:00 |
| related: |
| - CVE-2024-3400 |
| references: |
| - fix: https://github.com/gorilla/sessions/pull/274 |
| source: |
| id: go-security-team |
| created: 2024-04-17T07:45:30.470362-07:00 |
| review_status: REVIEWED |
