#VU80818 Download of code without integrity check in Gin - CVE-2023-29401


Vulnerability identifier: #VU80818

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-29401

CWE-ID: CWE-494

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Gin
Web applications / CMS

Vendor: Gin-Gonic

Description

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to software does not perform software integrity check when downloading updates. A remote attacker with ability to perform man-in-the-middle (MitM) attack can supply a malicious software image and modify data on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Gin: before 1.9.1

External links
https://pkg.go.dev/vuln/GO-2023-1737
https://github.com/gin-gonic/gin/releases/tag/v1.9.1
https://github.com/gin-gonic/gin/issues/3555
https://github.com/gin-gonic/gin/pull/3556

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.14
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.14
Splunk Enterprise update for third-party components
Multiple vulnerabilities in IBM Planning Analytics Local - IBM Planning Analytics Workspace
Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps
Multiple vulnerabilities in Migration Toolkit for Virtualization 2.5
Multiple vulnerabilities in IBM Planning Analytics Cartridge for IBM Cloud Pak for Data
Multiple vulnerabilities in IBM Storage Fusion and IBM Storage Fusion HCI
Multiple vulnerabilities in Migration Toolkit for Containers 1.7