​
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-x2m3-8vxr-vhhv

Published

Last updated

https://images.chainguard.dev/security/CGA-x2m3-8vxr-vhhv
Package

prometheus-fips

Latest Update
Fixed
Fixed Version

2.49.1-r1

Aliases
  • CVE-2023-45286
  • GHSA-xwh9-gc39-5298

Severity

5.9

Medium

CVSS V3

Summary

github.com/go-resty/resty/v2 HTTP request body disclosure

Description

A race condition in go-resty can result in HTTP request body disclosure across requests.

This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request.

The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images