Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2023-45286
Summary
A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling "sync.Pool.Put" with the same "*bytes.Buffer" more than once, when request retries are enabled and a retry occurs. The call to "sync.Pool.Get" will then return a "bytes.Buffer" that hasn't had "bytes.Buffer.Reset" called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The "sync.Pool" in question is defined at package level scope, so a completely unrelated server could receive the request body. This issue affects the versions v2.10.0-rc.1 through v2.10.0.
- HIGH
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-362 - Race Condition
A race condition occurs in a shared memory program when two threads/processes access the same shared memory data, and at least one thread executes a write operation. This vulnerability manipulates the time to check vs. time to use (TOC/TOU) gap between the threads in the critical section to cause disorientation in the shared data. The impact can vary from compromising the confidentiality of the system to causing the system to crash or to execute arbitrary code.
References
Advisory Timeline
- Published
