blob: cee7f948e0256c13b2f59f9d0c3e14d8ab8ca374 [file] [log] [blame]
id: GO-2022-0272
modules:
- module: github.com/kataras/iris/v12
versions:
- fixed: 12.2.0-alpha8
vulnerable_at: 12.1.8
packages:
- package: github.com/kataras/iris/v12/context
symbols:
- Context.UploadFormFiles
- module: github.com/kataras/iris
vulnerable_at: 0.0.2
packages:
- package: github.com/kataras/iris/context
symbols:
- Context.UploadFormFiles
summary: Directory traversal in github.com/kataras/iris and github.com/kataras/iris/v12
description: |-
The Context.UploadFormFiles function is vulnerable to directory traversal
attacks, and can be made to write to arbitrary locations outside the destination
directory.
This vulnerability only occurs when built with Go versions prior to 1.17. Go
1.17 and later strip directory paths from filenames returned by
"mime/multipart".Part.FileName, which avoids this issue.
published: 2022-07-15T23:08:12Z
cves:
- CVE-2021-23772
ghsas:
- GHSA-jcxc-rh6w-wf49
credits:
- Snyk Security Team
references:
- fix: https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08
- web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169
- web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170
review_status: REVIEWED