Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability identified with all current releases of gin CVE-2020-28483 #2626

Closed
stevesim101 opened this issue Feb 2, 2021 · 4 comments · Fixed by #2632
Closed

Security vulnerability identified with all current releases of gin CVE-2020-28483 #2626

stevesim101 opened this issue Feb 2, 2021 · 4 comments · Fixed by #2632
Assignees
@austinheap @manucorporat @javierprovecho
Labels
bug

Comments

@stevesim101
Copy link

Description

Current versions of gin are affected by CVE-2020-28483.
https://nvd.nist.gov/vuln/detail/CVE-2020-28483

How to reproduce

N/A

Expectations

Looking for a new release of gin that resolves the identified vulnerability.

Actual result

N/A

Environment

  • go version: 1.14.4 and higher
  • gin version (or commit ref):
  • operating system:
@javierprovecho javierprovecho linked a pull request Feb 8, 2021 that will close this issue
feat(engine): add trustedproxies and remoteIP #2632
Merged
2 tasks
@austinheap austinheap self-assigned this Feb 8, 2021
@austinheap austinheap added the bug label Feb 8, 2021
@montanaflynn
Copy link

What's the actual security implication here? Getting the wrong IP doesn't seem like a security risk, it's like saying users can spoof their user agent. Seeing comments like "// (insecure!) old behaviour)" has me thinking maybe I'm missing something.

I'm really relieved that the default behavior isn't changing because many gin servers can only be reached through a trusted proxy and it would be very difficult to add all the IPs to the TrustedProxies if you're behind a global CDN like cloudfront, whose IP addresses presumably are changing and being added to so often that there's a JSON API enumerating them:

http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips

@madhupavan
Copy link

@appleboy @manucorporat Now that this CVE is fixed, are we planning a release in near future.
Any information on the release cycle would be highly appreciated.
Thank you!

@gliptak
Copy link

gliptak commented Nov 15, 2021

#2632 was included in https://github.com/gin-gonic/gin/releases/tag/v1.7.0

@thinkerou
Copy link
Member

v1.7.7 have released, thanks! https://github.com/gin-gonic/gin/releases

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@austinheap austinheap

@manucorporat manucorporat

@javierprovecho javierprovecho

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(engine): add trustedproxies and remoteIP gin-gonic/gin
8 participants
@montanaflynn @gliptak @austinheap @manucorporat @javierprovecho @thinkerou @madhupavan @stevesim101