GO-2021-0051

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2021-0051

Import Source

https://vuln.go.dev/ID/GO-2021-0051.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2021-0051

Aliases

Published

2021-04-14T20:04:52Z

Modified

2024-05-20T16:03:47Z

Summary

Directory traversal on Windows in github.com/labstack/echo/v4

Details

Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

References

Credits

- @little-cui (Apache ServiceComb)

Affected packages

Go / github.com/labstack/echo/v4

Package

Name: github.com/labstack/echo/v4; View open source insights on deps.dev
Purl: pkg:golang/github.com/labstack/echo/v4

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.18-0.20201215153152-4422e3b66b9f

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/labstack/echo/v4",
            "symbols": [
                "Echo.Static",
                "Group.Static",
                "common.static"
            ],
            "goos": [
                "windows"
            ]
        }
    ]
}