[GO-2023-2328] HTTP request body disclosure in github.com/go-resty/resty/v2

Severity Medium

Affected Packages 1

Fixed Packages 1

CVEs 1

A race condition in go-resty can result in HTTP request body disclosure across
requests.

This condition can be triggered by calling sync.Pool.Put with the same
*bytes.Buffer more than once, when request retries are enabled and a retry
occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't
had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP
request body from an unrelated request, and go-resty will append the current
HTTP request body to it, sending two bodies in one request.

The sync.Pool in question is defined at package level scope, so a completely
unrelated server could receive the request body.

Package	Affected Version
pkg:golang/github.com/go-resty/resty/v2	>= 2.10.0, < 2.11.0

Package	Fixed Version
pkg:golang/github.com/go-resty/resty/v2	= 2.11.0

ID

GO-2023-2328

Severity

medium

Severity from

CVE-2023-45286

URL

https://pkg.go.dev/vuln/GO-2023-2328

Published

2023-11-27T18:22:39
(9 months ago)

Modified

2024-07-17T19:54:18
(2 months ago)

Other Advisories

FREEBSD:B5E22EC5-BC4B-11EE-B0B5-B42E991FC52E

Source	# ID	Name	URL
Security Advisory			https://github.com/advisories/GHSA-xwh9-gc39-5298

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Fixed	pkg:golang/github.com/go-resty/resty/v2	github.com/go-resty/resty	v2	= 2.11.0
Affected	pkg:golang/github.com/go-resty/resty/v2	github.com/go-resty/resty	v2	>= 2.10.0 < 2.11.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date