CVE-2023-26125

2023-05-0405:15:09

CWE-20

[email protected]

web.nvd.nist.gov

cve-2023-26125

security

input validation

cache poisoning

vulnerability

github

gin-gonic

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7 High

AI Score

Confidence

High

JSON

Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.

Note: Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.

CPE configuration

NVD

gin-gonicginRange<1.9.0

CPENameOperatorVersion
gin-gonic:gingin-gonic ginlt1.9.0

CPE	Name	Operator	Version
gin-gonic:gin	gin-gonic gin	lt	1.9.0

CNA Affected

[
  {
    "product": "github.com/gin-gonic/gin",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.9.0",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]