blob: 41c7bcb302cbbc33670b3b260075b52c6808a827 [file] [log] [blame]
id: GO-2022-0230
modules:
- module: github.com/containernetworking/cni
versions:
- fixed: 0.8.1
vulnerable_at: 0.8.0
packages:
- package: github.com/containernetworking/cni/pkg/invoke
symbols:
- FindInPath
derived_symbols:
- DelegateAdd
- DelegateCheck
- DelegateDel
- RawExec.FindInPath
summary: Improper limitation of path name in github.com/containernetworking/cni
description: |-
The FindInPath function is vulnerable to directory traversal attacks,
potentially permitting attackers to execute arbitrary binaries.
This function does not sanitize its plugin parameter, so parameter names
containing "../" or other such elements may reference arbitrary locations on the
filesystem.
published: 2022-07-01T20:17:57Z
cves:
- CVE-2021-20206
ghsas:
- GHSA-xjqr-g762-pxwp
references:
- fix: https://github.com/containernetworking/cni/pull/808
- web: https://bugzilla.redhat.com/show_bug.cgi?id=1919391
- web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549
review_status: REVIEWED