reports/GO-2022-0230.yaml - vulndb - Git at Google

 packages:
   - module: github.com/containernetworking/cni
     package: github.com/containernetworking/cni/pkg/invoke
     symbols:
       - FindInPath
     derived_symbols:
       - DelegateAdd
       - DelegateCheck
       - DelegateDel
       - RawExec.FindInPath
     versions:
       - fixed: 0.8.1
     vulnerable_at: 0.8.0
 description: |
     The FindInPath function is vulnerable to directory traversal attacks,
     potentially permitting attackers to execute arbitrary binaries.

     This function does not sanitize its plugin parameter, so parameter
     names containing "../" or other such elements may reference
     arbitrary locations on the filesystem.
 cves:
   - CVE-2021-20206
 ghsas:
   - GHSA-xjqr-g762-pxwp
 links:
     pr: https://github.com/containernetworking/cni/pull/808
     context:
       - https://bugzilla.redhat.com/show_bug.cgi?id=1919391
       - https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549
	packages:
	- module: github.com/containernetworking/cni
	package: github.com/containernetworking/cni/pkg/invoke
	symbols:
	- FindInPath
	derived_symbols:
	- DelegateAdd
	- DelegateCheck
	- DelegateDel
	- RawExec.FindInPath
	versions:
	- fixed: 0.8.1
	vulnerable_at: 0.8.0
	description: \|
	The FindInPath function is vulnerable to directory traversal attacks,
	potentially permitting attackers to execute arbitrary binaries.

	This function does not sanitize its plugin parameter, so parameter
	names containing "../" or other such elements may reference
	arbitrary locations on the filesystem.
	cves:
	- CVE-2021-20206
	ghsas:
	- GHSA-xjqr-g762-pxwp
	links:
	pr: https://github.com/containernetworking/cni/pull/808
	context:
	- https://bugzilla.redhat.com/show_bug.cgi?id=1919391
	- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549