GHSA-x477-fq37-q5wr: 
vulnerability analysis and mitigation

The vulnerability (GHSA-x477-fq37-q5wr) affects the debug-host feature in fortio/proxy versions 1.5.0 and 1.6.0. This moderate severity security issue was discovered and disclosed on January 26, 2023, with an update released on January 27, 2023. The vulnerability could potentially expose unnecessary information about the host system when using the debug-host feature (GitHub Advisory).

The vulnerability is classified as CWE-200 (Information Exposure) and has been assessed with a Moderate severity rating. The issue specifically relates to the implementation of the debug-host handler in the fortio.org/proxy Go package (GitHub Advisory).

When exploited, this vulnerability could lead to the exposure of unnecessary information about the host system through the debug-host feature. This information disclosure could potentially be leveraged by attackers to gather sensitive system details (GitHub Advisory).

Users can mitigate this vulnerability through multiple approaches: upgrade to version 1.6.1 or newer which contains the patch, downgrade to version 1.4.0 which predates the vulnerable feature, or set the debug-host parameter to empty. A pull request (#38) was merged to implement a safer version of the DebugHandler (GitHub Advisory, GitHub PR).