Vulnerability Report: GO-2022-0272
- CVE-2021-23772, GHSA-jcxc-rh6w-wf49
- Affects: github.com/kataras/iris/v12, github.com/kataras/iris
- Published: Jul 15, 2022
- Modified: May 20, 2024
The Context.UploadFormFiles function is vulnerable to directory traversal attacks, and can be made to write to arbitrary locations outside the destination directory. This vulnerability only occurs when built with Go versions prior to 1.17. Go 1.17 and later strip directory paths from filenames returned by "mime/multipart".Part.FileName, which avoids this issue.
Affected Packages
-
PathGo VersionsSymbols
-
before v12.2.0-alpha8
-
all versions, no known fixed
Aliases
References
- https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170
- https://vuln.go.dev/ID/GO-2022-0272.json
Credits
- Snyk Security Team
Feedback
See anything missing or incorrect?
Suggest an edit to this report.