| { |
| "id": "GO-2022-0272", |
| "published": "2022-07-15T23:08:12Z", |
| "modified": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2021-23772", |
| "GHSA-jcxc-rh6w-wf49" |
| ], |
| "details": "The Context.UploadFormFiles function is vulnerable to directory\ntraversal attacks, and can be made to write to arbitrary locations\noutside the destination directory.\n\nThis vulnerability only occurs when built with Go versions prior to 1.17.\nGo 1.17 and later strip directory paths from filenames returned by\n\"mime/multipart\".Part.FileName, which avoids this issue.\n", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/kataras/iris/v12", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "12.2.0-alpha8" |
| } |
| ] |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2022-0272" |
| }, |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/kataras/iris/v12/context", |
| "symbols": [ |
| "Context.UploadFormFiles" |
| ] |
| } |
| ] |
| } |
| }, |
| { |
| "package": { |
| "name": "github.com/kataras/iris", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| } |
| ] |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2022-0272" |
| }, |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/kataras/iris/context", |
| "symbols": [ |
| "Context.UploadFormFiles" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170" |
| } |
| ] |
| } |
