Download of code without integrity check in Gin

#VU80818 Download of code without integrity check in Gin

Published: 2023-09-15

Vulnerability identifier: #VU80818

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29401

CWE-ID: CWE-494

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Gin
Web applications / CMS

Vendor:

Description

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to software does not perform software integrity check when downloading updates. A remote attacker with ability to perform man-in-the-middle (MitM) attack can supply a malicious software image and modify data on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://pkg.go.dev/vuln/GO-2023-1737
http://github.com/gin-gonic/gin/releases/tag/v1.9.1
http://github.com/gin-gonic/gin/issues/3555
http://github.com/gin-gonic/gin/pull/3556

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps

Multiple vulnerabilities in Migration Toolkit for Virtualization 2.5

Multiple vulnerabilities in IBM Planning Analytics Cartridge for IBM Cloud Pak for Data

Multiple vulnerabilities in IBM Storage Fusion and IBM Storage Fusion HCI