Details
-
Bug
-
Resolution: Fixed
-
Major
-
postHelium
-
Security Level: Public
-
1
-
CVE-2020-28483
-
High
Description
In SGW 3.1.x nhooyr.io/websocket:v1.8.7 brings in github.com/gin-gonic/gin:v1.6.3
in which X-Forwarded-For handling is unsafe allowing for client spoofing. This is a high severity vulnerability https://nvd.nist.gov/vuln/detail/CVE-2020-28483
More info at
https://github.com/gin-gonic/gin/pull/2474
nhooyr.io/websocket v1.8.7 is the latest version, but there's an open PR to update gin @
https://github.com/nhooyr/websocket/pull/332/commits/ca33690ff53e22f528eca3ccfefb125e3d8a3fb4
We need to wait for an updated version, patch it ourselves, or use a different library.
It looks like this is an indirect dependency https://github.com/couchbase/sync_gateway/blob/master/go.mod#L75