CVE-2020-36567
Injection vulnerability in gin (Go)
What is CVE-2020-36567 About?
This injection vulnerability affects the default Formatter for the Logger middleware in the Default engine. Attackers can manipulate the request path to inject arbitrary log entries. This can lead to obscured legitimate logs or log-based attacks. Exploitation is relatively easy, requiring only a manipulated request path.
Affected Software
Technical Details
The Logger middleware's default Formatter (LoggerConfig.Formatter) in the Default engine is vulnerable to log injection. This occurs because the formatter does not properly sanitize or escape user-controlled input, specifically the request path, before incorporating it into log entries. An attacker can include newline characters (%0a or %0d%0a) and other control characters, followed by arbitrary text, within the HTTP request path. When the vulnerable Logger processes this path, it interprets these control characters, causing the attacker's arbitrary text to be parsed as separate log entries or to alter the format of existing entries, potentially leading to log file poisoning or other log-based attacks.
What is the Impact of CVE-2020-36567?
Successful exploitation may allow attackers to inject false log entries, mask malicious activities, or potentially trigger log parsing vulnerabilities in downstream systems.
What is the Exploitability of CVE-2020-36567?
Exploiting this log injection vulnerability is straightforward, requiring minimal complexity. The primary prerequisite is the ability to send a crafted HTTP request to the vulnerable application. There are no authentication or privilege requirements, as the vulnerability resides in how the server processes and logs request paths. This is a remote exploit. Special conditions mainly involve the application using the default Logger middleware and its Formatter. Risk factors that increase exploitation likelihood include applications that expose their logs or use log analysis tools, as injected entries could lead to further compromise or confusion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36567?
About the Fix from Resolved Security
The patch changes the log formatter to output request paths using the Go %#v format, which produces escaped, double-quoted strings, rather than outputting them verbatim. This prevents attackers from injecting malicious control characters or newlines into log entries via the request path, thereby fixing CVE-2020-36567, a log injection vulnerability.
Available Upgrade Options
- github.com/gin-gonic/gin
- <1.6.0 → Upgrade to 1.6.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/gin-gonic/gin/pull/2237
- https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
- https://nvd.nist.gov/vuln/detail/CVE-2020-36567
- https://pkg.go.dev/vuln/GO-2020-0001
- https://github.com/gin-gonic/gin/pull/2237
- https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
- https://osv.dev/vulnerability/GHSA-6vm3-jj99-7229
- https://github.com/gin-gonic/gin/pull/2237
- https://github.com/gin-gonic/gin
- https://pkg.go.dev/vuln/GO-2020-0001
What are Similar Vulnerabilities to CVE-2020-36567?
Similar Vulnerabilities: CVE-2021-23382 , CVE-2022-24756 , CVE-2022-31093 , CVE-2023-26462 , CVE-2023-27581
