GHSA-5g39-ppwg-6xx8

Опубликовано: 16 мар. 2023

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Go-huge-util vulnerable to path traversal when unzipping files

Impact ZipSlip issue when use fsutil package to unzip files. When users use zip.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal.

Patches It has been fixed in v0.0.34, Please upgrade version to v0.0.34 or above.

Workarounds No, users have to upgrade version.

Specific Go Packages Affected github.com/dablelv/go-huge-util/zip

References

Ссылки

Пакеты

Наименование

github.com/dablelv/go-huge-util

Затронутые версииВерсия исправления

< 0.0.34

0.0.34

EPSS

Процентиль: 32%

0.00123

Низкий

8.8 High

CVSS3

CVE ID

CVE-2023-28105

Дефекты

CWE-22

Связанные уязвимости

CVE-2023-28105

CVSS3: 8.8

nvd

почти 3 года назад

go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.

EPSS

Процентиль: 32%

0.00123

Низкий

8.8 High

CVSS3

CVE ID

CVE-2023-28105

Дефекты

CWE-22