Found 2 known vulnerabilities in the Gin(GO-2022-0969 & GO-2022-0288)

[mstmdev]

Scan Vulnerability Database with the following command

$ go install golang.org/x/vuln/cmd/govulncheck@latest
$ govulncheck ./...

Vulnerability #1: GO-2022-0969
  HTTP/2 server connections can hang forever waiting for a clean
  shutdown that was preempted by a fatal error. This condition can
  be exploited by a malicious client to cause a denial of service.

  Call stacks in your code:
      gin.go:561:18: github.com/gin-gonic/gin.Engine.RunListener calls net/http.Serve, which eventually calls golang.org/x/net/http2.Server.ServeConn

  Found in: golang.org/x/net/[email protected]
  Fixed in: golang.org/x/net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0969

Vulnerability #2: GO-2022-0288
  An attacker can cause unbounded memory growth in servers
  accepting HTTP/2 requests.

  Call stacks in your code:
      gin.go:561:18: github.com/gin-gonic/gin.Engine.RunListener calls net/http.Serve, which eventually calls golang.org/x/net/http2.Server.ServeConn

  Found in: golang.org/x/net/[email protected]
  Fixed in: golang.org/x/net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0288

[jerome-laforge]

As workaround in order to mitigate this CVE:

go get golang.org/x/net@latest
go: upgraded golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e => v0.0.0-20220921203646-d300de134e69
go: upgraded golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a => v0.0.0-20220728004956-3c1f35247d10