CVE-2023-26125
golang-github-gin-gonic-gin: Improper Input Validation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
A flaw was found in Gin-Gonic Gin. This flaw allows a remote attacker to bypass security restrictions caused by improper input validation. An attacker can perform cache poisoning attacks by sending a specially-crafted request using the X-Forwarded-Prefix header.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-02-20 CVE Reserved
- 2023-05-04 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-10-14 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://github.com/gin-gonic/gin/releases/tag/v1.9.0 | Release Notes |
| URL | Date | SRC |
|---|---|---|
| https://github.com/gin-gonic/gin/pull/3500 | 2024-08-02 | |
| https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-3324285 | 2024-08-02 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/gin-gonic/gin/pull/3503 | 2023-11-07 | |
| https://github.com/t0rchwo0d/gin/commit/fd9f98e70fb4107ee68c783482d231d35e60507b | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-26125 | 2023-08-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2203769 | 2023-08-14 |