Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-2048

Update nhooyr.io/websocket gin-gonic/gin CVE-2020-28483

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 3.1.0
    • postHelium
    • SyncGateway
    • Security Level: Public
    • 1
    • CVE-2020-28483
    • High

    Description

      In SGW 3.1.x nhooyr.io/websocket:v1.8.7 brings in github.com/gin-gonic/gin:v1.6.3
      in which X-Forwarded-For handling is unsafe allowing for client spoofing. This is a high severity vulnerability https://nvd.nist.gov/vuln/detail/CVE-2020-28483

      More info at
      https://github.com/gin-gonic/gin/pull/2474

      nhooyr.io/websocket v1.8.7 is the latest version, but there's an open PR to update gin @
      https://github.com/nhooyr/websocket/pull/332/commits/ca33690ff53e22f528eca3ccfefb125e3d8a3fb4

      We need to wait for an updated version, patch it ourselves, or use a different library.
      It looks like this is an indirect dependency https://github.com/couchbase/sync_gateway/blob/master/go.mod#L75

      Attachments

        Activity

          People

            The One The One
            ianmccloy Ian McCloy (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              PagerDuty