GHSA-pp3f-xrw5-q5j4

Suggest an improvement
Source
https://github.com/advisories/GHSA-pp3f-xrw5-q5j4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-pp3f-xrw5-q5j4/GHSA-pp3f-xrw5-q5j4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pp3f-xrw5-q5j4
Aliases
Related
Published
2022-11-21T22:31:31Z
Modified
2023-11-08T04:10:35.692001Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Lancet vulnerable to path traversal when unzipping files
Details

Impact

What kind of vulnerability is it? Who is impacted?

ZipSlip issue when use fileutil package to unzip files.

Patches

Has the problem been patched? What versions should users upgrade to?

It will fixed in v2.1.10, Please upgrade version to v2.1.10 or above. Users who use v1.x.x should upgrade v1.3.4 or above.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

No, users have to upgrade version.

Database specific
{
    "github_reviewed_at": "2022-11-21T22:31:31Z",
    "nvd_published_at": "2022-11-17T18:15:00Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH"
}
References

Affected packages

Go / github.com/duke-git/lancet/v2

Package

Name
github.com/duke-git/lancet/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/duke-git/lancet/v2

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.1.10

Go / github.com/duke-git/lancet

Package

Name
github.com/duke-git/lancet
View open source insights on deps.dev
Purl
pkg:golang/github.com/duke-git/lancet

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.4