Source: golang-github-go-resty-resty Version: 2.10.0-1 Severity: important Tags: security upstream Forwarded: https://github.com/go-resty/resty/pull/745 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for golang-github-go-resty-resty. CVE-2023-45286[0]: | A race condition in go-resty can result in HTTP request body | disclosure across requests. This condition can be triggered by | calling sync.Pool.Put with the same *bytes.Buffer more than once, | when request retries are enabled and a retry occurs. The call to | sync.Pool.Get will then return a bytes.Buffer that hasn't had | bytes.Buffer.Reset called on it. This dirty buffer will contain the | HTTP request body from an unrelated request, and go-resty will | append the current HTTP request body to it, sending two bodies in | one request. The sync.Pool in question is defined at package level | scope, so a completely unrelated server could receive the request | body. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45286 https://www.cve.org/CVERecord?id=CVE-2023-45286 [1] https://github.com/go-resty/resty/pull/745 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
