GO-2022-0230

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0230

Import Source

https://vuln.go.dev/ID/GO-2022-0230.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0230

Aliases

CVE-2021-20206
GHSA-xjqr-g762-pxwp
SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549

Published

2022-07-01T20:17:57Z

Modified

2024-09-03T03:41:46.113381Z

Summary

Improper limitation of path name in github.com/containernetworking/cni

Details

The FindInPath function is vulnerable to directory traversal attacks, potentially permitting attackers to execute arbitrary binaries.

This function does not sanitize its plugin parameter, so parameter names containing "../" or other such elements may reference arbitrary locations on the filesystem.

References

Affected packages

Go / github.com/containernetworking/cni

Package

Name: github.com/containernetworking/cni; View open source insights on deps.dev
Purl: pkg:golang/github.com/containernetworking/cni

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.8.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/containernetworking/cni/pkg/invoke",
            "symbols": [
                "DelegateAdd",
                "DelegateCheck",
                "DelegateDel",
                "FindInPath",
                "RawExec.FindInPath"
            ]
        }
    ]
}