| id: GO-2022-1027 |
| modules: |
| - module: github.com/cloudwego/hertz |
| versions: |
| - fixed: 0.3.1 |
| vulnerable_at: 0.3.0 |
| packages: |
| - package: github.com/cloudwego/hertz/pkg/protocol |
| goos: |
| - windows |
| symbols: |
| - normalizePath |
| derived_symbols: |
| - Cookie.SetPath |
| - Cookie.SetPathBytes |
| - NewRequest |
| - ParseURI |
| - Request.Host |
| - Request.ParseURI |
| - Request.Path |
| - Request.QueryString |
| - Request.SetHost |
| - Request.SetQueryString |
| - Request.URI |
| - URI.Parse |
| - URI.SetPath |
| - URI.SetPathBytes |
| - URI.Update |
| - URI.UpdateBytes |
| summary: Path traversal in github.com/cloudwego/hertz |
| description: |- |
| Improper path sanitization on Windows permits path traversal attacks. Static |
| file serving with the Static or StaticFS functions allows an attacker to access |
| files from outside the filesystem root. |
| |
| This vulnerability does not affect non-Windows systems. |
| cves: |
| - CVE-2022-40082 |
| ghsas: |
| - GHSA-c9qr-f6c8-rgxf |
| references: |
| - web: https://github.com/cloudwego/hertz/issues/228 |
| - fix: https://github.com/cloudwego/hertz/pull/229 |
| review_status: REVIEWED |