Описание
sjqzhang go-fastdfs vulnerable to path traversal
sjqzhang go-fastdfs up to 1.4.3 is vulnerable to path traversal in the function upload of the file /group1/upload of the component File Upload Handler. The attack may be launched remotely and the exploit has been disclosed to the public and may be used.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-1800
- https://github.com/sjqzhang/go-fastdfs/commit/61cbff5124c61e292994099372b11c06cdb5b80b
- https://github.com/yangyanglo/ForCVE/blob/93a16663cd32a36d37d8a0f0102e1592254d0279/2023-0x05.md
- https://github.com/yangyanglo/ForCVE/blob/main/2023-0x05.md
- https://vuldb.com/?ctiid.224768
- https://vuldb.com/?id.224768
Пакеты
github.com/sjqzhang/go-fastdfs
< 1.4.5-0.20230408141131-61cbff5124c6
1.4.5-0.20230408141131-61cbff5124c6
Связанные уязвимости
A vulnerability, which was classified as critical, has been found in sjqzhang go-fastdfs up to 1.4.3. Affected by this issue is the function upload of the file /group1/uploa of the component File Upload Handler. The manipulation leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-224768.
Уязвимость функции загрузки файлов распределенной файловой системы sjqzhang go-fastdfs, позволяющая нарушителю записывать произвольные файлы, а так же выполнить произвольные команды