CVE-2023-45286
HTTP request body disclosure in github.com/go-resty/resty/v2
Description
A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.
How to fix CVE-2023-45286
To remediate CVE-2023-45286, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 2.11.0 or later
- —upgrade to 2.11.0 or later
Is CVE-2023-45286 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0
- >= 2.10.0, < 2.11.0
- >= 2.10.0, < 2.11.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |