Описание
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.
Note: Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
A flaw was found in Gin-Gonic Gin. This flaw allows a remote attacker to bypass security restrictions caused by improper input validation. An attacker can perform cache poisoning attacks by sending a specially-crafted request using the X-Forwarded-Prefix header.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel8 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/loki-rhel8-operator | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/lokistack-gateway-rhel9 | Not affected | ||
| Migration Toolkit for Applications 6 | mta/mta-admin-addon-rhel8 | Will not fix | ||
| Migration Toolkit for Applications 6 | mta/mta-windup-addon-rhel9 | Affected | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-rhel8-operator | Affected | ||
| OpenShift Serverless | openshift-serverless-1/client-kn-rhel8 | Affected | ||
| OpenShift Serverless | openshift-serverless-1/ingress-rhel8-operator | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-multicluster-globalhub-agent-container | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vuln ...
Improper input validation in github.com/gin-gonic/gin
EPSS
7.3 High
CVSS3