Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/go-resty/resty/v2: CVE-2023-45286 #2328

Closed
1 task done
lattwood opened this issue Nov 9, 2023 · 7 comments
Closed
1 task done

x/vulndb: potential Go vuln in github.com/go-resty/resty/v2: CVE-2023-45286 #2328

lattwood opened this issue Nov 9, 2023 · 7 comments
Assignees
@tatianab
Labels
Direct External Report

Comments

@lattwood
Copy link

lattwood commented Nov 9, 2023
edited
Loading

Acknowledgement

  • The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

go-resty v2.10.0 introduced a race condition that results in HTTP request body disclosure across requests, by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs.

When this condition is triggered, the call to sync.Pool.Get will return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request.

The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

Affected Modules, Packages, Versions and Symbols

Module: github.com/go-resty/resty/v2
Package: github.com/go-resty/resty/v2
Versions:
  - Introduced: 2.10.0
  - Fixed: N/A
Symbols:
  - Client.SetRetryCount

CVE/GHSA ID

No response

Fix Commit or Pull Request

go-resty/resty#745

References

Additional information

It would be awesome if sync.Pool kept track of returned memory addresses when go's race detector is enabled, it would have made tracking this down a lot faster.
@lattwood
Copy link
Author

Dang.

https://github.com/search?q=resty+SetRetryCount+language%3AGo&type=code

Just a little bit of vulnerable code.

@tatianab tatianab self-assigned this Nov 15, 2023
@tatianab tatianab changed the title x/vulndb: potential Go vuln in github.com/go-resty/resty/v2 x/vulndb: potential Go vuln in github.com/go-resty/resty/v2: CVE-2023-45286 Nov 27, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/545206 mentions this issue: data/reports: add GO-2023-2328.yaml

@tatianab
Copy link
Contributor

Hi, thank you for your report, and apologies for the delay. This vulnerability has been assigned ids GO-2023-2328 and CVE-2023-45286. The report in CL https://go.dev/cl/545206 will be published soon; please comment here or on that CL if you have any suggested edits.

@lattwood
Copy link
Author

No worries, and thank you!

gopherbot pushed a commit that referenced this issue Nov 27, 2023
@tatianab
data/reports: add GO-2023-2328.yaml
edf27d2 
Aliases: CVE-2023-45286

Updates #2328

Change-Id: I5c53cf4e061c940f30dd68ae3593ff3b39f168bf
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545206
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
@GoVulnBot GoVulnBot mentioned this issue Nov 28, 2023
Closed
@tatianab tatianab closed this as completed Dec 6, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/547980 mentions this issue: data/reports: update GO-2023-2328.yaml

gopherbot pushed a commit that referenced this issue Dec 11, 2023
@tatianab
data/reports: update GO-2023-2328.yaml
497dfa0 
Add missing GHSA.

Aliases: CVE-2023-45286, GHSA-xwh9-gc39-5298

Updates #2328
Fixes #2357

Change-Id: Ie4b7593cc7bb3251d5919db76ddfe99a4fdeff15
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/547980
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/554135 mentions this issue: data/reports: add GO-2023-2328.yaml

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/554155 mentions this issue: data/reports: update GO-2023-2328.yaml

gopherbot pushed a commit that referenced this issue Jan 4, 2024
@tatianab
data/reports: update GO-2023-2328.yaml
aca7204 
Add fixed version and fix commit.

Aliases: CVE-2023-45286, GHSA-xwh9-gc39-5298

Updates #2328
Updates #2427

Change-Id: Ia8373db660975a01f455d2b60d5e1d9f73a2c30b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/554155
Reviewed-by: Tim King <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
Direct External Report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lattwood @tatianab @gopherbot