blob: 0f543419b97fab70f754689c2c5a89891f890e63 [file] [log] [blame]
id: GO-2022-1027
modules:
- module: github.com/cloudwego/hertz
versions:
- fixed: 0.3.1
vulnerable_at: 0.3.0
packages:
- package: github.com/cloudwego/hertz/pkg/protocol
goos:
- windows
symbols:
- normalizePath
derived_symbols:
- Cookie.SetPath
- Cookie.SetPathBytes
- NewRequest
- ParseURI
- Request.Host
- Request.ParseURI
- Request.Path
- Request.QueryString
- Request.SetHost
- Request.SetQueryString
- Request.URI
- URI.Parse
- URI.SetPath
- URI.SetPathBytes
- URI.Update
- URI.UpdateBytes
summary: Path traversal in github.com/cloudwego/hertz
description: |-
Improper path sanitization on Windows permits path traversal attacks. Static
file serving with the Static or StaticFS functions allows an attacker to access
files from outside the filesystem root.
This vulnerability does not affect non-Windows systems.
cves:
- CVE-2022-40082
ghsas:
- GHSA-c9qr-f6c8-rgxf
references:
- web: https://github.com/cloudwego/hertz/issues/228
- fix: https://github.com/cloudwego/hertz/pull/229
review_status: REVIEWED