data/osv/GO-2022-0355.json - vulndb - Git at Google

 {
   "schema_version": "1.3.1",
   "id": "GO-2022-0355",
   "modified": "0001-01-01T00:00:00Z",
   "published": "2022-07-27T20:26:59Z",
   "aliases": [
     "CVE-2022-21221",
     "GHSA-fx95-883v-4q4h"
   ],
   "summary": "Path traversal in github.com/valyala/fasthttp",
   "details": "The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, and can serve files from outside the provided root directory.\n\nURL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths.",
   "affected": [
     {
       "package": {
         "name": "github.com/valyala/fasthttp",
         "ecosystem": "Go"
       },
       "ranges": [
         {
           "type": "SEMVER",
           "events": [
             {
               "introduced": "0"
             },
             {
               "fixed": "1.34.0"
             }
           ]
         }
       ],
       "ecosystem_specific": {
         "imports": [
           {
             "path": "github.com/valyala/fasthttp",
             "symbols": [
               "AppendBrotliBytes",
               "AppendBrotliBytesLevel",
               "AppendDeflateBytes",
               "AppendDeflateBytesLevel",
               "AppendGunzipBytes",
               "AppendGzipBytes",
               "AppendGzipBytesLevel",
               "AppendHTTPDate",
               "AppendInflateBytes",
               "AppendUnbrotliBytes",
               "Args.WriteTo",
               "Client.CloseIdleConnections",
               "Client.Do",
               "Client.DoDeadline",
               "Client.DoRedirects",
               "Client.DoTimeout",
               "Client.Get",
               "Client.GetDeadline",
               "Client.GetTimeout",
               "Client.Post",
               "Cookie.AppendBytes",
               "Cookie.Cookie",
               "Cookie.Parse",
               "Cookie.ParseBytes",
               "Cookie.String",
               "Cookie.WriteTo",
               "Dial",
               "DialDualStack",
               "DialDualStackTimeout",
               "DialTimeout",
               "Do",
               "DoDeadline",
               "DoRedirects",
               "DoTimeout",
               "FS.NewRequestHandler",
               "FSHandler",
               "FileLastModified",
               "GenerateTestCertificate",
               "Get",
               "GetDeadline",
               "GetTimeout",
               "HostClient.CloseIdleConnections",
               "HostClient.Do",
               "HostClient.DoDeadline",
               "HostClient.DoRedirects",
               "HostClient.DoTimeout",
               "HostClient.Get",
               "HostClient.GetDeadline",
               "HostClient.GetTimeout",
               "HostClient.Post",
               "LBClient.Do",
               "LBClient.DoDeadline",
               "LBClient.DoTimeout",
               "ListenAndServe",
               "ListenAndServeTLS",
               "ListenAndServeTLSEmbed",
               "ListenAndServeUNIX",
               "NewStreamReader",
               "ParseByteRange",
               "ParseHTTPDate",
               "ParseIPv4",
               "PipelineClient.Do",
               "PipelineClient.DoDeadline",
               "PipelineClient.DoTimeout",
               "PipelineClient.PendingRequests",
               "Post",
               "Request.Body",
               "Request.BodyGunzip",
               "Request.BodyInflate",
               "Request.BodyUnbrotli",
               "Request.BodyWriteTo",
               "Request.ContinueReadBody",
               "Request.ContinueReadBodyStream",
               "Request.Host",
               "Request.MultipartForm",
               "Request.PostArgs",
               "Request.Read",
               "Request.ReadBody",
               "Request.ReadLimitBody",
               "Request.SetBodyStreamWriter",
               "Request.SetHost",
               "Request.SetHostBytes",
               "Request.String",
               "Request.SwapBody",
               "Request.URI",
               "Request.Write",
               "Request.WriteTo",
               "RequestCtx.FormFile",
               "RequestCtx.FormValue",
               "RequestCtx.Host",
               "RequestCtx.IfModifiedSince",
               "RequestCtx.MultipartForm",
               "RequestCtx.Path",
               "RequestCtx.PostArgs",
               "RequestCtx.PostBody",
               "RequestCtx.QueryArgs",
               "RequestCtx.Redirect",
               "RequestCtx.RedirectBytes",
               "RequestCtx.SendFile",
               "RequestCtx.SendFileBytes",
               "RequestCtx.SetBodyStreamWriter",
               "RequestCtx.String",
               "RequestCtx.URI",
               "RequestHeader.Add",
               "RequestHeader.AddBytesK",
               "RequestHeader.AddBytesKV",
               "RequestHeader.AddBytesV",
               "RequestHeader.Read",
               "RequestHeader.ReadTrailer",
               "RequestHeader.Set",
               "RequestHeader.SetByteRange",
               "RequestHeader.SetBytesK",
               "RequestHeader.SetBytesKV",
               "RequestHeader.SetBytesV",
               "RequestHeader.SetCanonical",
               "RequestHeader.SetReferer",
               "RequestHeader.SetRefererBytes",
               "RequestHeader.Write",
               "Response.Body",
               "Response.BodyGunzip",
               "Response.BodyInflate",
               "Response.BodyUnbrotli",
               "Response.BodyWriteTo",
               "Response.Read",
               "Response.ReadBody",
               "Response.ReadLimitBody",
               "Response.SendFile",
               "Response.SetBodyStreamWriter",
               "Response.String",
               "Response.SwapBody",
               "Response.Write",
               "Response.WriteDeflate",
               "Response.WriteDeflateLevel",
               "Response.WriteGzip",
               "Response.WriteGzipLevel",
               "Response.WriteTo",
               "ResponseHeader.Add",
               "ResponseHeader.AddBytesK",
               "ResponseHeader.AddBytesKV",
               "ResponseHeader.AddBytesV",
               "ResponseHeader.AppendBytes",
               "ResponseHeader.Cookie",
               "ResponseHeader.DelClientCookie",
               "ResponseHeader.DelClientCookieBytes",
               "ResponseHeader.Header",
               "ResponseHeader.Read",
               "ResponseHeader.ReadTrailer",
               "ResponseHeader.Set",
               "ResponseHeader.SetBytesK",
               "ResponseHeader.SetBytesKV",
               "ResponseHeader.SetBytesV",
               "ResponseHeader.SetCanonical",
               "ResponseHeader.SetContentRange",
               "ResponseHeader.SetCookie",
               "ResponseHeader.SetLastModified",
               "ResponseHeader.String",
               "ResponseHeader.Write",
               "ResponseHeader.WriteTo",
               "SaveMultipartFile",
               "Serve",
               "ServeConn",
               "ServeFile",
               "ServeFileBytes",
               "ServeFileBytesUncompressed",
               "ServeFileUncompressed",
               "ServeTLS",
               "ServeTLSEmbed",
               "Server.AppendCert",
               "Server.AppendCertEmbed",
               "Server.ListenAndServe",
               "Server.ListenAndServeTLS",
               "Server.ListenAndServeTLSEmbed",
               "Server.ListenAndServeUNIX",
               "Server.Serve",
               "Server.ServeConn",
               "Server.ServeTLS",
               "Server.ServeTLSEmbed",
               "Server.Shutdown",
               "TCPDialer.Dial",
               "TCPDialer.DialDualStack",
               "TCPDialer.DialDualStackTimeout",
               "TCPDialer.DialTimeout",
               "URI.Parse",
               "URI.Update",
               "URI.UpdateBytes",
               "URI.WriteTo",
               "WriteBrotli",
               "WriteBrotliLevel",
               "WriteDeflate",
               "WriteDeflateLevel",
               "WriteGunzip",
               "WriteGzip",
               "WriteGzipLevel",
               "WriteInflate",
               "WriteMultipartForm",
               "WriteUnbrotli",
               "bigFileReader.Read",
               "bigFileReader.WriteTo",
               "ctxLogger.Printf",
               "firstByteReader.Read",
               "flushWriter.Write",
               "fsFile.NewReader",
               "fsSmallFileReader.WriteTo",
               "hijackConn.Close",
               "hijackConn.Read",
               "perIPConn.Close",
               "perIPConnCounter.Unregister",
               "pipelineConnClient.Do",
               "pipelineConnClient.DoDeadline",
               "pipelineConnClient.PendingRequests",
               "requestStream.Read",
               "statsWriter.Write",
               "tcpKeepaliveListener.Accept",
               "workerPool.Serve"
             ]
           }
         ]
       }
     }
   ],
   "references": [
     {
       "type": "FIX",
       "url": "https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1"
     },
     {
       "type": "WEB",
       "url": "https://github.com/valyala/fasthttp/issues/1226"
     },
     {
       "type": "WEB",
       "url": "https://github.com/valyala/fasthttp/releases/tag/v1.34.0"
     },
     {
       "type": "WEB",
       "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866"
     }
   ],
   "credits": [
     {
       "name": "egovorukhin"
     }
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2022-0355",
     "review_status": "REVIEWED"
   }
 }
	{
	"schema_version": "1.3.1",
	"id": "GO-2022-0355",
	"modified": "0001-01-01T00:00:00Z",
	"published": "2022-07-27T20:26:59Z",
	"aliases": [
	"CVE-2022-21221",
	"GHSA-fx95-883v-4q4h"
	],
	"summary": "Path traversal in github.com/valyala/fasthttp",
	"details": "The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, and can serve files from outside the provided root directory.\n\nURL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths.",
	"affected": [
	{
	"package": {
	"name": "github.com/valyala/fasthttp",
	"ecosystem": "Go"
	},
	"ranges": [
	{
	"type": "SEMVER",
	"events": [
	{
	"introduced": "0"
	},
	{
	"fixed": "1.34.0"
	}
	]
	}
	],
	"ecosystem_specific": {
	"imports": [
	{
	"path": "github.com/valyala/fasthttp",
	"symbols": [
	"AppendBrotliBytes",
	"AppendBrotliBytesLevel",
	"AppendDeflateBytes",
	"AppendDeflateBytesLevel",
	"AppendGunzipBytes",
	"AppendGzipBytes",
	"AppendGzipBytesLevel",
	"AppendHTTPDate",
	"AppendInflateBytes",
	"AppendUnbrotliBytes",
	"Args.WriteTo",
	"Client.CloseIdleConnections",
	"Client.Do",
	"Client.DoDeadline",
	"Client.DoRedirects",
	"Client.DoTimeout",
	"Client.Get",
	"Client.GetDeadline",
	"Client.GetTimeout",
	"Client.Post",
	"Cookie.AppendBytes",
	"Cookie.Cookie",
	"Cookie.Parse",
	"Cookie.ParseBytes",
	"Cookie.String",
	"Cookie.WriteTo",
	"Dial",
	"DialDualStack",
	"DialDualStackTimeout",
	"DialTimeout",
	"Do",
	"DoDeadline",
	"DoRedirects",
	"DoTimeout",
	"FS.NewRequestHandler",
	"FSHandler",
	"FileLastModified",
	"GenerateTestCertificate",
	"Get",
	"GetDeadline",
	"GetTimeout",
	"HostClient.CloseIdleConnections",
	"HostClient.Do",
	"HostClient.DoDeadline",
	"HostClient.DoRedirects",
	"HostClient.DoTimeout",
	"HostClient.Get",
	"HostClient.GetDeadline",
	"HostClient.GetTimeout",
	"HostClient.Post",
	"LBClient.Do",
	"LBClient.DoDeadline",
	"LBClient.DoTimeout",
	"ListenAndServe",
	"ListenAndServeTLS",
	"ListenAndServeTLSEmbed",
	"ListenAndServeUNIX",
	"NewStreamReader",
	"ParseByteRange",
	"ParseHTTPDate",
	"ParseIPv4",
	"PipelineClient.Do",
	"PipelineClient.DoDeadline",
	"PipelineClient.DoTimeout",
	"PipelineClient.PendingRequests",
	"Post",
	"Request.Body",
	"Request.BodyGunzip",
	"Request.BodyInflate",
	"Request.BodyUnbrotli",
	"Request.BodyWriteTo",
	"Request.ContinueReadBody",
	"Request.ContinueReadBodyStream",
	"Request.Host",
	"Request.MultipartForm",
	"Request.PostArgs",
	"Request.Read",
	"Request.ReadBody",
	"Request.ReadLimitBody",
	"Request.SetBodyStreamWriter",
	"Request.SetHost",
	"Request.SetHostBytes",
	"Request.String",
	"Request.SwapBody",
	"Request.URI",
	"Request.Write",
	"Request.WriteTo",
	"RequestCtx.FormFile",
	"RequestCtx.FormValue",
	"RequestCtx.Host",
	"RequestCtx.IfModifiedSince",
	"RequestCtx.MultipartForm",
	"RequestCtx.Path",
	"RequestCtx.PostArgs",
	"RequestCtx.PostBody",
	"RequestCtx.QueryArgs",
	"RequestCtx.Redirect",
	"RequestCtx.RedirectBytes",
	"RequestCtx.SendFile",
	"RequestCtx.SendFileBytes",
	"RequestCtx.SetBodyStreamWriter",
	"RequestCtx.String",
	"RequestCtx.URI",
	"RequestHeader.Add",
	"RequestHeader.AddBytesK",
	"RequestHeader.AddBytesKV",
	"RequestHeader.AddBytesV",
	"RequestHeader.Read",
	"RequestHeader.ReadTrailer",
	"RequestHeader.Set",
	"RequestHeader.SetByteRange",
	"RequestHeader.SetBytesK",
	"RequestHeader.SetBytesKV",
	"RequestHeader.SetBytesV",
	"RequestHeader.SetCanonical",
	"RequestHeader.SetReferer",
	"RequestHeader.SetRefererBytes",
	"RequestHeader.Write",
	"Response.Body",
	"Response.BodyGunzip",
	"Response.BodyInflate",
	"Response.BodyUnbrotli",
	"Response.BodyWriteTo",
	"Response.Read",
	"Response.ReadBody",
	"Response.ReadLimitBody",
	"Response.SendFile",
	"Response.SetBodyStreamWriter",
	"Response.String",
	"Response.SwapBody",
	"Response.Write",
	"Response.WriteDeflate",
	"Response.WriteDeflateLevel",
	"Response.WriteGzip",
	"Response.WriteGzipLevel",
	"Response.WriteTo",
	"ResponseHeader.Add",
	"ResponseHeader.AddBytesK",
	"ResponseHeader.AddBytesKV",
	"ResponseHeader.AddBytesV",
	"ResponseHeader.AppendBytes",
	"ResponseHeader.Cookie",
	"ResponseHeader.DelClientCookie",
	"ResponseHeader.DelClientCookieBytes",
	"ResponseHeader.Header",
	"ResponseHeader.Read",
	"ResponseHeader.ReadTrailer",
	"ResponseHeader.Set",
	"ResponseHeader.SetBytesK",
	"ResponseHeader.SetBytesKV",
	"ResponseHeader.SetBytesV",
	"ResponseHeader.SetCanonical",
	"ResponseHeader.SetContentRange",
	"ResponseHeader.SetCookie",
	"ResponseHeader.SetLastModified",
	"ResponseHeader.String",
	"ResponseHeader.Write",
	"ResponseHeader.WriteTo",
	"SaveMultipartFile",
	"Serve",
	"ServeConn",
	"ServeFile",
	"ServeFileBytes",
	"ServeFileBytesUncompressed",
	"ServeFileUncompressed",
	"ServeTLS",
	"ServeTLSEmbed",
	"Server.AppendCert",
	"Server.AppendCertEmbed",
	"Server.ListenAndServe",
	"Server.ListenAndServeTLS",
	"Server.ListenAndServeTLSEmbed",
	"Server.ListenAndServeUNIX",
	"Server.Serve",
	"Server.ServeConn",
	"Server.ServeTLS",
	"Server.ServeTLSEmbed",
	"Server.Shutdown",
	"TCPDialer.Dial",
	"TCPDialer.DialDualStack",
	"TCPDialer.DialDualStackTimeout",
	"TCPDialer.DialTimeout",
	"URI.Parse",
	"URI.Update",
	"URI.UpdateBytes",
	"URI.WriteTo",
	"WriteBrotli",
	"WriteBrotliLevel",
	"WriteDeflate",
	"WriteDeflateLevel",
	"WriteGunzip",
	"WriteGzip",
	"WriteGzipLevel",
	"WriteInflate",
	"WriteMultipartForm",
	"WriteUnbrotli",
	"bigFileReader.Read",
	"bigFileReader.WriteTo",
	"ctxLogger.Printf",
	"firstByteReader.Read",
	"flushWriter.Write",
	"fsFile.NewReader",
	"fsSmallFileReader.WriteTo",
	"hijackConn.Close",
	"hijackConn.Read",
	"perIPConn.Close",
	"perIPConnCounter.Unregister",
	"pipelineConnClient.Do",
	"pipelineConnClient.DoDeadline",
	"pipelineConnClient.PendingRequests",
	"requestStream.Read",
	"statsWriter.Write",
	"tcpKeepaliveListener.Accept",
	"workerPool.Serve"
	]
	}
	]
	}
	}
	],
	"references": [
	{
	"type": "FIX",
	"url": "https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1"
	},
	{
	"type": "WEB",
	"url": "https://github.com/valyala/fasthttp/issues/1226"
	},
	{
	"type": "WEB",
	"url": "https://github.com/valyala/fasthttp/releases/tag/v1.34.0"
	},
	{
	"type": "WEB",
	"url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866"
	}
	],
	"credits": [
	{
	"name": "egovorukhin"
	}
	],
	"database_specific": {
	"url": "https://pkg.go.dev/vuln/GO-2022-0355",
	"review_status": "REVIEWED"
	}
	}