data/reports/GO-2022-0230.yaml - vulndb - Git at Google

 modules:
   - module: github.com/containernetworking/cni
     versions:
       - fixed: 0.8.1
     vulnerable_at: 0.8.0
     packages:
       - package: github.com/containernetworking/cni/pkg/invoke
         symbols:
           - FindInPath
         derived_symbols:
           - DelegateAdd
           - DelegateCheck
           - DelegateDel
           - RawExec.FindInPath
 description: |
     The FindInPath function is vulnerable to directory traversal attacks,
     potentially permitting attackers to execute arbitrary binaries.

     This function does not sanitize its plugin parameter, so parameter
     names containing "../" or other such elements may reference
     arbitrary locations on the filesystem.
 published: 2022-07-01T20:17:57Z
 cves:
   - CVE-2021-20206
 ghsas:
   - GHSA-xjqr-g762-pxwp
 references:
   - fix: https://github.com/containernetworking/cni/pull/808
   - web: https://bugzilla.redhat.com/show_bug.cgi?id=1919391
   - web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549
	modules:
	- module: github.com/containernetworking/cni
	versions:
	- fixed: 0.8.1
	vulnerable_at: 0.8.0
	packages:
	- package: github.com/containernetworking/cni/pkg/invoke
	symbols:
	- FindInPath
	derived_symbols:
	- DelegateAdd
	- DelegateCheck
	- DelegateDel
	- RawExec.FindInPath
	description: \|
	The FindInPath function is vulnerable to directory traversal attacks,
	potentially permitting attackers to execute arbitrary binaries.

	This function does not sanitize its plugin parameter, so parameter
	names containing "../" or other such elements may reference
	arbitrary locations on the filesystem.
	published: 2022-07-01T20:17:57Z
	cves:
	- CVE-2021-20206
	ghsas:
	- GHSA-xjqr-g762-pxwp
	references:
	- fix: https://github.com/containernetworking/cni/pull/808
	- web: https://bugzilla.redhat.com/show_bug.cgi?id=1919391
	- web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549