The #golang `gorilla/sessions` directory traversal and file (over)write is now being tracked as GO-2024-2730: https://go-review.googlesource.com/c/vulndb/+/579655
This issue was (co)-discovered as part of watchTowr's analysis of the Palo Alto Networks RCE (#CVE_2024_3400), but is entirely separate, and affects a wide range of Go-based web services.
https://github.com/golang/vulndb/issues/2730
If you use gorilla/sessions with the FilesystemStore, please switch to the CookieStore instead until a patch is available.
HD Moore /
npub183…fz7sj
2024-04-17 15:21:23
Author Public Key
npub183jlg550rkcz46gv688rcj2d4ap9cxxut5lg2naehae62hlrlnfs2fz7sjPublished at
2024-04-17 15:21:23Event JSON
{
"id": "dcf6bf2c835ec4ece5112abcfa2e9ad667a7d160134facc18374009d5b0ee624",
"pubkey": "3c65f4528f1db02ae90cd1ce3c494daf425c18dc5d3e854fb9bf73a55fe3fcd3",
"created_at": 1713367283,
"kind": 1,
"tags": [
[
"t",
"golang"
],
[
"t",
"cve_2024_3400"
],
[
"proxy",
"https://infosec.exchange/users/hdm/statuses/112287238288517723",
"activitypub"
]
],
"content": "The #golang `gorilla/sessions` directory traversal and file (over)write is now being tracked as GO-2024-2730: https://go-review.googlesource.com/c/vulndb/+/579655\n\nThis issue was (co)-discovered as part of watchTowr's analysis of the Palo Alto Networks RCE (#CVE_2024_3400), but is entirely separate, and affects a wide range of Go-based web services.\n\nhttps://github.com/golang/vulndb/issues/2730\n\nIf you use gorilla/sessions with the FilesystemStore, please switch to the CookieStore instead until a patch is available.",
"sig": "97719859ac4c9fabf308597c4a4db7b19a1aa65147a6622e5813700bc5066426c812dcf81c3dd969235a8451d794624b00882943207962b232712b186a1434de"
}