| id: GO-2022-0272 |
| modules: |
| - module: github.com/kataras/iris/v12 |
| versions: |
| - fixed: 12.2.0-alpha8 |
| vulnerable_at: 12.1.8 |
| packages: |
| - package: github.com/kataras/iris/v12/context |
| symbols: |
| - Context.UploadFormFiles |
| - module: github.com/kataras/iris |
| vulnerable_at: 0.0.2 |
| packages: |
| - package: github.com/kataras/iris/context |
| symbols: |
| - Context.UploadFormFiles |
| summary: Directory traversal in github.com/kataras/iris and github.com/kataras/iris/v12 |
| description: |- |
| The Context.UploadFormFiles function is vulnerable to directory traversal |
| attacks, and can be made to write to arbitrary locations outside the destination |
| directory. |
| |
| This vulnerability only occurs when built with Go versions prior to 1.17. Go |
| 1.17 and later strip directory paths from filenames returned by |
| "mime/multipart".Part.FileName, which avoids this issue. |
| published: 2022-07-15T23:08:12Z |
| cves: |
| - CVE-2021-23772 |
| ghsas: |
| - GHSA-jcxc-rh6w-wf49 |
| credits: |
| - Snyk Security Team |
| references: |
| - fix: https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08 |
| - web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169 |
| - web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170 |
