{ "schema_version": "1.4.0", "id": "GHSA-crxj-hrmp-4rwf", "modified": "2022-09-30T06:31:20Z", "published": "2022-09-29T00:00:26Z", "aliases": [ "CVE-2022-40083" ], "summary": "Labstack Echo Open Redirect vulnerability", "details": "Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF). Version 4.9.0 contains a patch for the issue.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/labstack/echo/v4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.9.0" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40083" }, { "type": "WEB", "url": "https://github.com/labstack/echo/issues/2259" }, { "type": "WEB", "url": "https://github.com/labstack/echo/pull/2260" }, { "type": "WEB", "url": "https://github.com/labstack/echo/pull/2260/commits/3154abd1401554fe4d1c09ec550506d8625fc042" }, { "type": "WEB", "url": "https://github.com/labstack/echo/commit/0ac4d74402391912ff6da733bb09fd4c3980b4e1" }, { "type": "PACKAGE", "url": "https://github.com/labstack/echo" }, { "type": "WEB", "url": "https://github.com/labstack/echo/releases/tag/v4.9.0" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2022-1031" } ], "database_specific": { "cwe_ids": [ "CWE-601" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2022-09-30T06:31:20Z", "nvd_published_at": "2022-09-28T14:15:00Z" } }