Go modules package
github.com/gin-gonic/gin
pkg:golang/github.com/gin-gonic/gin
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-25211 | Cri | 9.1 | < 1.6.0 | 1.6.0 | Jun 29, 2024 | parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed w | |
| CVE-2023-29401 | — | >= 1.3.1-0.20190301021747-ccb9e902956d, < 1.9.1 | 1.9.1 | Jun 8, 2023 | The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filenam | ||
| CVE-2023-26125 | — | < 1.9.0 | 1.9.0 | May 4, 2023 | Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not | ||
| CVE-2020-36567 | — | < 1.6.0 | 1.6.0 | Dec 27, 2022 | Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines. | ||
| CVE-2020-28483 | — | < 1.7.7 | 1.7.7 | Jan 20, 2021 | This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header. |
- affected < 1.6.0fixed 1.6.0
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed w
- CVE-2023-29401Jun 8, 2023affected >= 1.3.1-0.20190301021747-ccb9e902956d, < 1.9.1fixed 1.9.1
The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filenam
- CVE-2023-26125May 4, 2023affected < 1.9.0fixed 1.9.0
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not
- CVE-2020-36567Dec 27, 2022affected < 1.6.0fixed 1.6.0
Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines.
- CVE-2020-28483Jan 20, 2021affected < 1.7.7fixed 1.7.7
This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.