blob: 5b79643fe315e56f8450471080fd68d219e22e6e [file] [log] [blame]
module = "github.com/gin-gonic/gin"
description = """
The default [`Formatter`][LoggerConfig.Formatter] for the [`Logger`][] middleware
(included in the [`Default`][] engine) allows attackers to inject arbitrary log
entries by manipulating the request path.
"""
credit = "@thinkerou <thinkerou@gmail.com>"
# Better static analysis: LoggerWithConfig called with nil conf.Formatter.
# Test symbol inclusion by making a gin handler without Default or Logger.
symbols = ["defaultLogFormatter"]
[[versions]]
# v1.5.1 doesn't exist? not sure how `go mod` is picking this pseudoversion
fixed = "v1.6.0"
[links]
pr = "https://github.com/gin-gonic/gin/pull/2237"
commit = "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d"
[cve_metadata]
id = "CVE-XXXX-0001"
description = """
Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0
allows remote attackers to inject arbitary log lines.
"""
cwe = "CWE-20: Improper Input Validation"