Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: directory traversal in gorilla/sessions leads to file writes (and possible) reads in FilesystemStore #2730

Closed
1 task
hdm opened this issue Apr 17, 2024 · 2 comments
Closed
1 task

x/vulndb: directory traversal in gorilla/sessions leads to file writes (and possible) reads in FilesystemStore #2730

hdm opened this issue Apr 17, 2024 · 2 comments
Assignees
@neild @tatianab
Labels
Direct External Report

Comments

@hdm
Copy link

hdm commented Apr 17, 2024
edited
Loading

Acknowledgement

  • The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

The watchTowr post on Palo Alto Networks CVE-2024-3400 RCE also discloses a directory traversal vulnerability in the gorilla/sessions package. This vulnerability allows an authenticated user to create (and overwrite) any file or device with privileges of the application when the FilesystemStore is used. A pull request was opened by a researcher at another firm that may have co-discovered the issue at gorilla/sessions#274

The gorilla/sessions library and FilesystemStore in particular are widely used in the Go ecosystem.

Affected Modules, Packages, Versions and Symbols

Module: github.com/gorilla/sessions
Package: github.com/gorilla/sessions
Versions:
  - Introduced: 1.1
Symbols:
  - FilesystemStore.Save
  - NewFilesystemStore

CVE/GHSA ID

No response

Fix Commit or Pull Request

gorilla/sessions#274

References

https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

Additional information

I am not the discoverer of this issue, please credit watchTowr and Bishop Fox. I attempted to reach Corey Daley (one of the new gorilla maintainers) by email and slack (gophers - #gorilla), but have not seen a response yet.
@hdm hdm changed the title gorilla/sessions: directory traversal leads to file writes (and possible) reads in FilestorageStore gorilla/sessions: directory traversal leads to file writes (and possible) reads in FilesystemStore Apr 17, 2024
@hdm hdm changed the title gorilla/sessions: directory traversal leads to file writes (and possible) reads in FilesystemStore x/vulndb: directory traversal in gorilla/sessions leads to file writes (and possible) reads in FilesystemStore Apr 17, 2024
@tatianab tatianab self-assigned this Apr 17, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/579655 mentions this issue: data/reports: add GO-2024-2730.yaml

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/579675 mentions this issue: data/reports: add GO-2024-2730.yaml

@fullstackpotato fullstackpotato mentioned this issue Apr 18, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

@tatianab tatianab

Labels
Direct External Report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @hdm @tatianab @gopherbot