blob: ed3de8cfda42d76642caa41d44e68feef4028041 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2022-0272",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-07-15T23:08:12Z",
"aliases": [
"CVE-2021-23772",
"GHSA-jcxc-rh6w-wf49"
],
"summary": "Directory traversal in github.com/kataras/iris and github.com/kataras/iris/v12",
"details": "The Context.UploadFormFiles function is vulnerable to directory traversal attacks, and can be made to write to arbitrary locations outside the destination directory.\n\nThis vulnerability only occurs when built with Go versions prior to 1.17. Go 1.17 and later strip directory paths from filenames returned by \"mime/multipart\".Part.FileName, which avoids this issue.",
"affected": [
{
"package": {
"name": "github.com/kataras/iris/v12",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "12.2.0-alpha8"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/kataras/iris/v12/context",
"symbols": [
"Context.UploadFormFiles"
]
}
]
}
},
{
"package": {
"name": "github.com/kataras/iris",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/kataras/iris/context",
"symbols": [
"Context.UploadFormFiles"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170"
}
],
"credits": [
{
"name": "Snyk Security Team"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0272"
}
}