GO-2020-0001

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2020-0001

Import Source

https://vuln.go.dev/ID/GO-2020-0001.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2020-0001

Aliases

Published

2021-04-14T20:04:52Z

Modified

2024-05-20T16:03:47Z

Summary

Arbitrary log line injection in github.com/gin-gonic/gin

Details

The default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2020-0001"
}

References

Credits

- @thinkerou <thinkerou@gmail.com>

Affected packages

Go / github.com/gin-gonic/gin

Package

Name: github.com/gin-gonic/gin; View open source insights on deps.dev
Purl: pkg:golang/github.com/gin-gonic/gin

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/gin-gonic/gin",
            "symbols": [
                "Default",
                "Logger",
                "LoggerWithConfig",
                "LoggerWithFormatter",
                "LoggerWithWriter"
            ]
        }
    ]
}