CVE-2021-23772

Published: Dec 24, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

Affected (6)

Products: Iris Go: Iris

1 product

Configuration A

6 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Iris Go Iris	Up to 12.1.8
Iris Go Iris	Version 12.2.0 alpha2
Iris Go Iris	Version 12.2.0 alpha3
Iris Go Iris	Version 12.2.0 alpha4
Iris Go Iris	Version 12.2.0 alpha5
Iris Go Iris	Version 12.2.0 alpha

Running on/with	Platform Versions
Golang Go	Before 1.7.5

Related CWEs

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (6)

https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08

Source: report@snyk.io

PatchThird Party Advisory

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169

Source: report@snyk.io

ExploitPatchThird Party Advisory

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170

Source: report@snyk.io

ExploitPatchThird Party Advisory

https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.