Description
Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.
Problem types
Product status
Any version before 12.128.2
12.128.2 (semver)
Credits
Judel777
References
github.com/.../capgo/security/advisories/GHSA-9c2x-7h5x-37gm
github.com/.../capgo/security/advisories/GHSA-9c2x-7h5x-37gm (GHSA Advisory GHSA-9c2x-7h5x-37gm)
www.vulncheck.com/...uthenticated-options-build-upload-jobid (VulnCheck Advisory: Cap-go - Job Existence Oracle via Unauthenticated OPTIONS /build/upload/:jobId/*)