CVE-2023-26125: Input Validation
First published: Thu May 04 2023(Updated: )
A flaw was found in Gin-Gonic Gin. This flaw allows a remote attacker to bypass security restrictions caused by improper input validation. An attacker can perform cache poisoning attacks by sending a specially-crafted request using the X-Forwarded-Prefix header.
Credit: report@snyk.io report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gin-Gonic Gin | <1.9.0 | |
| go/github.com/gin-gonic/gin | <1.9.0 | 1.9.0 |
| redhat/github.com/gin-gonic/gin | <1.9.0 | 1.9.0 |
| IBM Planning Analytics Local - IBM Planning Analytics Workspace | <=2.1 | |
| IBM Planning Analytics Local - IBM Planning Analytics Workspace | <=2.0 |
Remedy
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/t0rchwo0d/gin/commit/fd9f98e70fb4107ee68c783482d231d35e60507b
- https://github.com/gin-gonic/gin/pull/3500
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-3324285
- https://github.com/gin-gonic/gin/pull/3503
- https://github.com/gin-gonic/gin/releases/tag/v1.9.0
- https://www.cve.org/CVERecord?id=CVE-2023-26125 https://nvd.nist.gov/vuln/detail/CVE-2023-26125 https://www.postgresql.org/support/security/CVE-2023-2454/
- https://bugzilla.redhat.com/show_bug.cgi?id=2203769
- https://access.redhat.com/errata/RHSA-2023:4627
- https://access.redhat.com/errata/RHSA-2023:4293
- https://access.redhat.com/security/cve/cve-2023-26125
- https://nvd.nist.gov/vuln/detail/CVE-2023-26125
- https://github.com/advisories/GHSA-3vp4-m3rf-835h (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/254482
- https://www.ibm.com/support/pages/node/7151122 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2203771
- https://access.redhat.com/errata/RHSA-2024:8688
Frequently Asked Questions
What is the vulnerability ID for this flaw in Gin-Gonic Gin?
The vulnerability ID for this flaw in Gin-Gonic Gin is CVE-2023-26125.
What is the severity of CVE-2023-26125?
The severity of CVE-2023-26125 is high with a severity value of 7.3.
How does CVE-2023-26125 affect the Gin-Gonic Gin package?
CVE-2023-26125 affects versions of the Gin-Gonic Gin package before version 1.9.0.
How can an attacker exploit CVE-2023-26125?
An attacker can exploit CVE-2023-26125 by using a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.
Is there a fix available for CVE-2023-26125?
Yes, the fix for CVE-2023-26125 is to upgrade to version 1.9.0 or later of the Gin-Gonic Gin package.
- collector/nvd-latest
- collector/redhat-cve
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-3vp4-m3rf-835h
- alias/CVE-2023-26125
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/event
- agent/last-modified-date
- agent/severity
- agent/references
- agent/weakness
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- vendor/gin-gonic
- canonical/gin-gonic gin
- package-manager/go
- vendor/ibm
- canonical/ibm planning analytics local - ibm planning analytics workspace
- version/ibm planning analytics local - ibm planning analytics workspace/2.1
- version/ibm planning analytics local - ibm planning analytics workspace/2.0
- package-manager/redhat