GHSA-5g39-ppwg-6xx8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5g39-ppwg-6xx8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-5g39-ppwg-6xx8/GHSA-5g39-ppwg-6xx8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5g39-ppwg-6xx8
- Aliases
- Published
- 2023-03-16T18:32:38Z
- Modified
- 2023-11-08T04:12:08.557968Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L CVSS Calculator
- Summary
- Go-huge-util vulnerable to path traversal when unzipping files
- Details
-
Impact ZipSlip issue when use fsutil package to unzip files. When users use zip.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal.
Patches It has been fixed in v0.0.34, Please upgrade version to v0.0.34 or above.
Workarounds No, users have to upgrade version.
Specific Go Packages Affected github.com/dablelv/go-huge-util/zip
References
- Database specific
{ "nvd_published_at": "2023-03-16T17:15:00Z", "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-03-16T18:32:38Z" }- References
Affected packages
Go / github.com/dablelv/go-huge-util
Package
- Name
- github.com/dablelv/go-huge-util
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/dablelv/go-huge-util