CVE-2023-29401
Content-Disposition Manipulation vulnerability in gin (Go)
What is CVE-2023-29401 About?
The `Context.FileAttachment` function's filename parameter is vulnerable to manipulation. A maliciously crafted filename can alter the `Content-Disposition` header, leading to unexpected file naming or modification. This allows an attacker to control how files are perceived, potentially facilitating further attacks. Exploitation is simple, involving specially crafted input.
Affected Software
Technical Details
This vulnerability resides in the Context.FileAttachment function, where the filename parameter is not properly sanitized. An attacker can embed special characters or constructs within the filename string that, when included in the Content-Disposition header, modify its intended value. For example, providing a filename like "setup.bat";x=".txt" will result in the Content-Disposition header being formed in such a way that the client perceives the file as setup.bat rather than .txt or some other benign extension. This bypasses the intended file extension and allows an attacker to control the final filename presented to the end user or client. The malicious input directly modifies the header's structure, potentially leading to incorrect file type assumptions by the client or other security bypasses.
What is the Impact of CVE-2023-29401?
Successful exploitation may allow attackers to serve files with an unexpected name or modified `Content-Disposition` header, potentially leading to misidentification of file types, security control bypasses, or confusion for end-users.
What is the Exploitability of CVE-2023-29401?
Exploitation of this Content-Disposition manipulation vulnerability is of low complexity. It requires an attacker to provide a specially crafted filename string to the Context.FileAttachment function. No authentication or special privileges are typically needed beyond the ability to trigger a file attachment mechanism where the filename is derived from untrusted input. This is generally a remote vulnerability as it involves manipulating data transmitted over a network. There are no specific special conditions or constraints other than the application using the vulnerable function with untrusted input. Risk factors increase significantly if the application uses this function to serve files where the filename is directly or indirectly controlled by users, allowing attackers to trick users or systems into misinterpreting file types or origins.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-29401?
About the Fix from Resolved Security
The patch escapes quotes and backslashes in filenames used in the Content-Disposition header, preventing malformed headers and potential HTTP response splitting or content injection. This mitigates CVE-2023-29401, which arises because unescaped quotes and backslashes could let an attacker manipulate the header and execute attacks such as HTTP response splitting.
Available Upgrade Options
- github.com/gin-gonic/gin
- >1.3.1-0.20190301021747-ccb9e902956d, <1.9.1 → Upgrade to 1.9.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://pkg.go.dev/vuln/GO-2023-1737
- https://github.com/gin-gonic/gin/issues/3555
- https://osv.dev/vulnerability/GO-2023-1737
- https://github.com/gin-gonic/gin/releases/tag/v1.9.1
- https://pkg.go.dev/vuln/GO-2023-1737
- https://github.com/gin-gonic/gin/pull/3556
- https://github.com/gin-gonic/gin
- https://github.com/gin-gonic/gin/pull/3556
- https://github.com/gin-gonic/gin/releases/tag/v1.9.1
- https://github.com/gin-gonic/gin/issues/3555
What are Similar Vulnerabilities to CVE-2023-29401?
Similar Vulnerabilities: CVE-2019-17637 , CVE-2017-1000100 , CVE-2018-1000007 , CVE-2021-36195 , CVE-2019-15875
