GHSA-9h6h-9g78-86f7

Source

https://github.com/advisories/GHSA-9h6h-9g78-86f7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9h6h-9g78-86f7/GHSA-9h6h-9g78-86f7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9h6h-9g78-86f7

Aliases

GO-2022-1204

Published

2022-12-29T01:50:20Z

Modified

2024-08-21T16:28:58.734285Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Yapscan's report receiver server vulnerable to path traversal and log injection

Details

Impact

If you make use of the report receiver server (experimental), a client may be able to forge requests such that arbitrary files on the host can be overwritten (subject to permissions of the yapscan server), leading to loss of data. This is particularly problematic if you do not authenticate clients and/or run the server with elevated permissions.

Patches

Vulnerable versions:

v0.18.0
v0.19.0 (unreleased)

This problem is patched in version v0.19.1

Workarounds

Update to the newer version is highly encouraged!

Measures to reduce the risk of this include authenticating clients (see --client-ca flag) and containerization of the yapscan server.

References

The tracking issue is #35. There you can find the commits, fixing the issue.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-117",
        "CWE-22",
        "CWE-73"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-29T01:50:20Z"
}

References

Affected packages

Go / github.com/fkie-cad/yapscan

Package

Name: github.com/fkie-cad/yapscan; View open source insights on deps.dev
Purl: pkg:golang/github.com/fkie-cad/yapscan

Affected ranges

Type: SEMVER
Events: Introduced

0.18.0

Fixed

0.19.1