Lucene search

K
cvelistSnykCVELIST:CVE-2023-26125
HistoryMay 04, 2023 - 5:00 a.m.

CVE-2023-26125

2023-05-0405:00:01
snyk
www.cve.org
vulnerable package
input validation
x-forwarded-prefix
cache poisoning

5.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.5%

Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.

Note: Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.

CNA Affected

[
  {
    "product": "github.com/gin-gonic/gin",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.9.0",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]

5.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.5%