Vulnerability Details : CVE-2023-26125
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.
**Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
Vulnerability category: Input validation
Products affected by CVE-2023-26125
- cpe:2.3:a:gin-gonic:gin:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-26125
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-26125
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
3.9
|
3.4
|
NIST | |
5.6
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
2.2
|
3.4
|
Snyk |
CWE ids for CVE-2023-26125
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-26125
-
https://github.com/gin-gonic/gin/releases/tag/v1.9.0
Release v1.9.0 · gin-gonic/gin · GitHubRelease Notes
-
https://github.com/gin-gonic/gin/pull/3500
Add escape logic for header by t0rchwo0d · Pull Request #3500 · gin-gonic/gin · GitHubExploit;Patch
-
https://github.com/gin-gonic/gin/pull/3503
Fix #3500 Add escape logic for header by t0rchwo0d · Pull Request #3503 · gin-gonic/gin · GitHubIssue Tracking;Patch
-
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-3324285
Improper Input Validation in github.com/gin-gonic/gin | CVE-2023-26125 | SnykExploit;Patch;Third Party Advisory
-
https://github.com/t0rchwo0d/gin/commit/fd9f98e70fb4107ee68c783482d231d35e60507b
Fix #3500 Add escape logic for header · t0rchwo0d/gin@fd9f98e · GitHubPatch
Jump to