CVE-2023-29401
Description
The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1.8.1-3 |
| sid | Fixed | 1.8.1-3 |
| forky | Fixed | 1.8.1-3 |
| bullseye | Affected | โ |
| bookworm | Affected | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/gin-gonic/gin | >=1.3.1-0.20190301021747-ccb9e902956d,<1.9.1 | 1.9.1 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-29401
- https://github.com/gin-gonic/gin/issues/3555
- https://github.com/gin-gonic/gin/pull/3556
- https://github.com/gin-gonic/gin
- https://github.com/gin-gonic/gin/releases/tag/v1.9.1
- https://pkg.go.dev/vuln/GO-2023-1737
- https://security-tracker.debian.org/tracker/CVE-2023-29401
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.