x/vulndb: directory traversal in gorilla/sessions leads to file writes (and possible) reads in FilesystemStore

[hdm]

Acknowledgement

• [ ] The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

The watchTowr post on Palo Alto Networks CVE-2024-3400 RCE also discloses a directory traversal vulnerability in the gorilla/sessions package. This vulnerability allows an authenticated user to create (and overwrite) any file or device with privileges of the application when the FilesystemStore is used. A pull request was opened by a researcher at another firm that may have co-discovered the issue at https://github.com/gorilla/sessions/pull/274

The gorilla/sessions library and FilesystemStore in particular are widely used in the Go ecosystem.

Affected Modules, Packages, Versions and Symbols

Module: github.com/gorilla/sessions
Package: github.com/gorilla/sessions
Versions:
  - Introduced: 1.1
Symbols:
  - FilesystemStore.Save
  - NewFilesystemStore

CVE/GHSA ID

No response

Fix Commit or Pull Request

https://github.com/gorilla/sessions/pull/274

References

https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

Additional information

I am not the discoverer of this issue, please credit watchTowr and Bishop Fox. I attempted to reach Corey Daley (one of the new gorilla maintainers) by email and slack (gophers - #gorilla), but have not seen a response yet.

[gopherbot]

Change https://go.dev/cl/579655 mentions this issue: data/reports: add GO-2024-2730.yaml

[gopherbot]

Change https://go.dev/cl/579675 mentions this issue: data/reports: add GO-2024-2730.yaml