[GO-2023-2328] HTTP request body disclosure in github.com/go-resty/resty/v2
Severity
Medium
Affected Packages
1
Fixed Packages
1
CVEs
1
A race condition in go-resty can result in HTTP request body disclosure across
requests.
This condition can be triggered by calling sync.Pool.Put with the same
*bytes.Buffer more than once, when request retries are enabled and a retry
occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't
had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP
request body from an unrelated request, and go-resty will append the current
HTTP request body to it, sending two bodies in one request.
The sync.Pool in question is defined at package level scope, so a completely
unrelated server could receive the request body.
Package | Affected Version |
---|---|
pkg:golang/github.com/go-resty/resty/v2 | >= 2.10.0, < 2.11.0 |
Package | Fixed Version |
---|---|
pkg:golang/github.com/go-resty/resty/v2 | = 2.11.0 |
- ID
- GO-2023-2328
- Severity
- medium
- Severity from
- CVE-2023-45286
- URL
- https://pkg.go.dev/vuln/GO-2023-2328
- Published
-
2023-11-27T18:22:39
(9 months ago) - Modified
-
2024-07-17T19:54:18
(2 months ago) - Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Security Advisory | https://github.com/advisories/GHSA-xwh9-gc39-5298 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |