x/vulndb: potential Go vuln in github.com/pterodactyl/wings: GHSA-6rg3-8h8x-5xfv

[GoVulnBot]

In GitHub Security Advisory GHSA-6rg3-8h8x-5xfv, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/pterodactyl/wings	1.2.1	= 1.2.0

See doc/triage.md for instructions on how to triage this report.

package: github.com/pterodactyl/wings
versions:
  - introduced: TODO (earliest fixed "1.2.1", vuln range "= 1.2.0")
description: |
    ### Impact
    A newly implemented route allowing users to download files from remote endpoints was not properly verifying the destination hostname for user provided URLs. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible.

    This vulnerability requires valid authentication credentials and is therefore **not exploitable by unauthenticated users**. If you are running an instance for yourself or other trusted individuals this impact is unlikely to be of major concern to you. However, you should still upgrade for security sake.

    ### Patches
    Users should upgrade to the latest version of Wings.

    ### Workarounds
    There is no workaround available that does not involve modifying Panel or Wings code.
published: 2021-06-23T18:04:50Z
last_modified: 2021-10-05T17:24:12Z
ghsas:
  - GHSA-6rg3-8h8x-5xfv

[neild]

Vulnerability in tool.

[gopherbot]

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607217 mentions this issue: data/reports: unexclude 20 reports (15)