| package = "github.com/gin-gonic/gin" |
| |
| description = """ |
| The default [`Formatter`][LoggerConfig.Formatter] for the [`Logger`][] middleware |
| (included in the [`Default`][] engine) allows attackers to inject arbitrary log |
| entries by manipulating the request path. |
| """ |
| |
| credit = "@thinkerou <thinkerou@gmail.com>" |
| |
| # Better static analysis: LoggerWithConfig called with nil conf.Formatter. |
| # Test symbol inclusion by making a gin handler without Default or Logger. |
| symbols = ["defaultLogFormatter"] |
| |
| [[versions]] |
| # v1.5.1 doesn't exist? not sure how `go mod` is picking this pseudoversion |
| fixed = "v1.6.0" |
| |
| [links] |
| pr = "https://github.com/gin-gonic/gin/pull/2237" |
| commit = "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d" |
| |
| [cve_metadata] |
| id = "CVE-XXX" |
| description = """ |
| Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 |
| allows remote attackers to inject arbitary log lines. |
| """ |
| cwe = "CWE-20: Improper Input Validation" |
