Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wcDNmLXhydzUtcTVqNM4AAv_J
Lancet vulnerable to path traversal when unzipping files
Impact
What kind of vulnerability is it? Who is impacted?
ZipSlip issue when use fileutil package to unzip files.
Patches
Has the problem been patched? What versions should users upgrade to?
It will fixed in v2.1.10, Please upgrade version to v2.1.10 or above.
Users who use v1.x.x should upgrade v1.3.4 or above.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No, users have to upgrade version.
Permalink: https://github.com/advisories/GHSA-pp3f-xrw5-q5j4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcDNmLXhydzUtcTVqNM4AAv_J
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 8 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-pp3f-xrw5-q5j4, CVE-2022-41920
References:
- https://github.com/duke-git/lancet/security/advisories/GHSA-pp3f-xrw5-q5j4
- https://nvd.nist.gov/vuln/detail/CVE-2022-41920
- https://github.com/duke-git/lancet/issues/62
- https://github.com/duke-git/lancet/commit/f133b32faa05eb93e66175d01827afa4b7094572
- https://github.com/duke-git/lancet/commit/f869a0a67098e92d24ddd913e188b32404fa72c9
- https://pkg.go.dev/vuln/GO-2022-1114
- https://github.com/advisories/GHSA-pp3f-xrw5-q5j4
Blast Radius: 15.1
Affected Packages
go:github.com/duke-git/lancet
Dependent packages: 20Dependent repositories: 9
Downloads:
Affected Version Ranges: < 1.3.4
Fixed in: 1.3.4
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.3.0, 1.3.1, 1.3.2, 1.3.3
All unaffected versions: 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.4.0, 1.4.1, 1.4.2
go:github.com/duke-git/lancet/v2
Dependent packages: 93Dependent repositories: 52
Downloads:
Affected Version Ranges: >= 2.0.0, < 2.1.10
Fixed in: 2.1.10
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9
All unaffected versions: 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.1.19, 2.1.20, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8