fix: 🎨 updated gin to 1.7.4 to fix CVE-2020-28483 #119

melnikovio · 2021-09-07T12:36:32Z

Update Gin to 1.7.4 to fix CVE-2020-28483

Details from Dependency Check:

This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:
Base Score: MEDIUM (5.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSSv3:
Base Score: HIGH (7.1)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

References:
MISC - gin-gonic/gin#2474
MISC - https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736
Vulnerable Software & Versions:

cpe:2.3:a:gin-gonic:gin:::::::: versions up to (excluding) 1.7.0

bogdandrutu · 2021-12-21T21:29:56Z

@rs please merge and create a new tag release if possible :)

ndeweerd-seek · 2021-12-21T22:13:50Z

1.7.4 did not fix CVE-2020-28483

Please update this to 1.7.7.

yuina1056 · 2021-12-22T02:05:22Z

Created a corresponding pull request.
#124

rs · 2021-12-22T04:13:43Z

Fixed in master

fix: 🎨 updated gin to 1.7.4 to fix CVE-2020-28483

60491c1

yuina1056 mentioned this pull request Dec 22, 2021

fix CVE-2020-28483 #124

Closed

rs closed this Dec 22, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: 🎨 updated gin to 1.7.4 to fix CVE-2020-28483 #119

fix: 🎨 updated gin to 1.7.4 to fix CVE-2020-28483 #119

melnikovio commented Sep 7, 2021

bogdandrutu commented Dec 21, 2021

ndeweerd-seek commented Dec 21, 2021

yuina1056 commented Dec 22, 2021

rs commented Dec 22, 2021

fix: 🎨 updated gin to 1.7.4 to fix CVE-2020-28483 #119

fix: 🎨 updated gin to 1.7.4 to fix CVE-2020-28483 #119

Conversation

melnikovio commented Sep 7, 2021

bogdandrutu commented Dec 21, 2021

ndeweerd-seek commented Dec 21, 2021

yuina1056 commented Dec 22, 2021

rs commented Dec 22, 2021