blob: 803420cbc5650acd9c7b29c0828e8221544abe28 [file] [log] [blame]
id: GO-2020-0001
modules:
- module: github.com/gin-gonic/gin
versions:
- fixed: 1.6.0
vulnerable_at: 1.5.0
packages:
- package: github.com/gin-gonic/gin
symbols:
- LoggerWithConfig
derived_symbols:
- Default
- Logger
- LoggerWithFormatter
- LoggerWithWriter
summary: Arbitrary log line injection in github.com/gin-gonic/gin
description: |-
The default Formatter for the Logger middleware (LoggerConfig.Formatter), which
is included in the Default engine, allows attackers to inject arbitrary log
entries by manipulating the request path.
published: 2021-04-14T20:04:52Z
ghsas:
- GHSA-6vm3-jj99-7229
credits:
- '@thinkerou <thinkerou@gmail.com>'
references:
- fix: https://github.com/gin-gonic/gin/pull/2237
- fix: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
cve_metadata:
id: CVE-2020-36567
cwe: CWE-117 Improper Output Neutralization for Logs
description: |-
Unsanitized input in the default logger in github.com/gin-gonic/gin before
v1.6.0 allows remote attackers to inject arbitrary log lines.
review_status: REVIEWED