reports/GO-2022-0355.yaml - vulndb - Git at Google

 packages:
   - module: github.com/valyala/fasthttp
     symbols:
       - FS.NewRequestHandler
     versions:
       - fixed: 1.34.0
     vulnerable_at: 1.33.0
 description: |
     The fasthttp.FS request handler is vulnerable to directory traversal
     attacks on Windows systems, and can serve files from outside the
     provided root directory.

     URL path normalization does not handle Windows path separators
     (backslashes), permitting an attacker to construct requests
     with relative paths.
 cves:
   - CVE-2022-21221
 ghsas:
   - GHSA-fx95-883v-4q4h
 credit: egovorukhin
 links:
     commit: https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1
     context:
       - https://github.com/valyala/fasthttp/issues/1226
       - https://github.com/valyala/fasthttp/releases/tag/v1.34.0
       - https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866
	packages:
	- module: github.com/valyala/fasthttp
	symbols:
	- FS.NewRequestHandler
	versions:
	- fixed: 1.34.0
	vulnerable_at: 1.33.0
	description: \|
	The fasthttp.FS request handler is vulnerable to directory traversal
	attacks on Windows systems, and can serve files from outside the
	provided root directory.

	URL path normalization does not handle Windows path separators
	(backslashes), permitting an attacker to construct requests
	with relative paths.
	cves:
	- CVE-2022-21221
	ghsas:
	- GHSA-fx95-883v-4q4h
	credit: egovorukhin
	links:
	commit: https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1
	context:
	- https://github.com/valyala/fasthttp/issues/1226
	- https://github.com/valyala/fasthttp/releases/tag/v1.34.0
	- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866