GHSA-pp3f-xrw5-q5j4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pp3f-xrw5-q5j4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-pp3f-xrw5-q5j4/GHSA-pp3f-xrw5-q5j4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pp3f-xrw5-q5j4
- Aliases
- Related
- Published
- 2022-11-21T22:31:31Z
- Modified
- 2023-11-08T04:10:35.692001Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Lancet vulnerable to path traversal when unzipping files
- Details
-
Impact
What kind of vulnerability is it? Who is impacted?
ZipSlip issue when use fileutil package to unzip files.
Patches
Has the problem been patched? What versions should users upgrade to?
It will fixed in v2.1.10, Please upgrade version to v2.1.10 or above. Users who use v1.x.x should upgrade v1.3.4 or above.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No, users have to upgrade version.
- Database specific
{ "github_reviewed_at": "2022-11-21T22:31:31Z", "nvd_published_at": "2022-11-17T18:15:00Z", "github_reviewed": true, "cwe_ids": [ "CWE-22" ], "severity": "HIGH" }- References
-
- https://github.com/duke-git/lancet/security/advisories/GHSA-pp3f-xrw5-q5j4
- https://nvd.nist.gov/vuln/detail/CVE-2022-41920
- https://github.com/duke-git/lancet/issues/62
- https://github.com/duke-git/lancet/commit/f133b32faa05eb93e66175d01827afa4b7094572
- https://github.com/duke-git/lancet/commit/f869a0a67098e92d24ddd913e188b32404fa72c9
- https://github.com/duke-git/lancet
- https://pkg.go.dev/vuln/GO-2022-1114
Affected packages
Go / github.com/duke-git/lancet/v2
Package
- Name
- github.com/duke-git/lancet/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/duke-git/lancet/v2
Go / github.com/duke-git/lancet
Package
- Name
- github.com/duke-git/lancet
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/duke-git/lancet