Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qY3hjLXJoNnctd2Y0Oc0eaw
Link Following in Iris
This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.
Permalink: https://github.com/advisories/GHSA-jcxc-rh6w-wf49JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qY3hjLXJoNnctd2Y0Oc0eaw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-jcxc-rh6w-wf49, CVE-2021-23772
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23772
- https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170
- https://pkg.go.dev/vuln/GO-2022-0272
- https://github.com/advisories/GHSA-jcxc-rh6w-wf49
Blast Radius: 27.1
Affected Packages
go:github.com/kataras/iris
Dependent packages: 500Dependent repositories: 466
Downloads:
Affected Version Ranges: <= 0.0.2
No known fixed version
All affected versions: 0.0.1, 0.0.2
go:github.com/kataras/iris/v12
Dependent packages: 1,002Dependent repositories: 4,148
Downloads:
Affected Version Ranges: < 12.2.0-alpha8
Fixed in: 12.2.0-alpha8
All affected versions: 12.0.0, 12.0.1, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.1.7, 12.1.8, 12.2.0-alpha, 12.2.0-alpha2, 12.2.0-alpha3, 12.2.0-alpha4, 12.2.0-alpha5, 12.2.0-alpha6, 12.2.0-alpha7
All unaffected versions: 12.2.0, 12.2.1, 12.2.4, 12.2.5, 12.2.7, 12.2.8, 12.2.9, 12.2.10