{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2020-36567", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2022-07-29T19:10:22.854Z", "datePublished": "2022-12-27T20:58:14.400Z", "dateUpdated": "2024-08-04T17:30:08.458Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-06T18:28:26.763Z"}, "title": "Arbitrary log line injection in github.com/gin-gonic/gin", "descriptions": [{"lang": "en", "value": "Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines."}], "affected": [{"vendor": "github.com/gin-gonic/gin", "product": "github.com/gin-gonic/gin", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/gin-gonic/gin", "versions": [{"version": "0", "lessThan": "1.6.0", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "LoggerWithConfig"}, {"name": "Default"}, {"name": "Logger"}, {"name": "LoggerWithFormatter"}, {"name": "LoggerWithWriter"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-117 Improper Output Neutralization for Logs"}]}], "references": [{"url": "https://github.com/gin-gonic/gin/pull/2237"}, {"url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d"}, {"url": "https://pkg.go.dev/vuln/GO-2020-0001"}], "credits": [{"lang": "en", "value": "@thinkerou <thinkerou@gmail.com>"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:30:08.458Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/gin-gonic/gin/pull/2237", "tags": ["x_transferred"]}, {"url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2020-0001", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gin-gonic:gin:*:*:*:*:*:*:*:*", "matchCriteriaId": "0714F5FD-4700-4F2C-B63D-52128C3E2917", "versionEndExcluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines."}, {"lang": "es", "value": "La entrada no sanitizada en el registrador predeterminado en github.com/gin-gonic/gin anterior a v1.6.0 permite a atacantes remotos inyectar l\u00edneas de registro arbitrarias."}], "id": "CVE-2020-36567", "lastModified": "2023-11-07T03:22:17.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-27T21:15:10.903", "references": [{"source": "security@golang.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d"}, {"source": "security@golang.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/gin-gonic/gin/pull/2237"}, {"source": "security@golang.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2020-0001"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:0934", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.0::el8", "package": "mta/mta-admin-addon-rhel8:6.0.1-8", "product_name": "MTA-6.0-RHEL-8", "release_date": "2023-02-28T00:00:00Z"}, {"advisory": "RHSA-2023:0934", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.0::el8", "package": "mta/mta-hub-rhel8:6.0.1-8", "product_name": "MTA-6.0-RHEL-8", "release_date": "2023-02-28T00:00:00Z"}, {"advisory": "RHSA-2023:0934", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.0::el8", "package": "mta/mta-windup-addon-rhel8:6.0.1-9", "product_name": "MTA-6.0-RHEL-8", "release_date": "2023-02-28T00:00:00Z"}, {"advisory": "RHSA-2023:1428", "cpe": "cpe:/a:redhat:rhmt:1.7::el8", "package": "rhmtc/openshift-migration-controller-rhel8:v1.7.8-6", "product_name": "Red Hat Migration Toolkit for Containers 1.7", "release_date": "2023-03-23T00:00:00Z"}], "bugzilla": {"description": "gin: Unsanitized input in the default logger in github.com/gin-gonic/gin", "id": "2156683", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156683"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-117", "details": ["Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines.", "A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path."], "name": "CVE-2020-36567", "package_state": [{"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Not affected", "package_name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/logging-loki-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/lokistack-gateway-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-controller-rhel8", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-must-gather-api-rhel8", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "openshift-serverless-1/ingress-rhel8-operator", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "acm-multicluster-globalhub-agent-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-grafana-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/acm-prometheus-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/lighthouse-agent-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multiclusterhub-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "package_name": "rhacm2/rbac-query-proxy-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "package_name": "rhacm2/thanos-receive-controller-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "package_name": "rhacm2/thanos-rhel7", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-agent-installer-api-server-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-agent-installer-csr-approver-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-agent-installer-node-agent-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cluster-monitoring-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-coredns", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-docker-builder", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-image-customization-controller-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-installer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-prometheus-alertmanager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-prometheus-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-prom-label-proxy", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-thanos-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:assisted_installer:", "fix_state": "Out of support scope", "package_name": "rhai-tech-preview/assisted-installer-agent-rhel8", "product_name": "Red Hat OpenShift Container Platform Assisted Installer"}, {"cpe": "cpe:/a:redhat:assisted_installer:", "fix_state": "Out of support scope", "package_name": "rhai-tech-preview/assisted-installer-rhel8", "product_name": "Red Hat OpenShift Container Platform Assisted Installer"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Affected", "package_name": "devspaces/machineexec-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "package_name": "quay/quay-operator-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:webterminal:1", "fix_state": "Affected", "package_name": "web-terminal-exec-container", "product_name": "Red Hat Web Terminal"}], "public_date": "2022-12-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-36567\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-36567\nhttps://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d\nhttps://github.com/gin-gonic/gin/pull/2237\nhttps://pkg.go.dev/vuln/GO-2020-0001"], "threat_severity": "Moderate", "upstream_fix": "gin 1.6.0"}