GO-2022-0230

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0230

Import Source

https://vuln.go.dev/ID/GO-2022-0230.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0230

Aliases

Published

2022-07-01T20:17:57Z

Modified

2025-01-14T08:41:58.835965Z

Summary

Improper limitation of path name in github.com/containernetworking/cni

Details

The FindInPath function is vulnerable to directory traversal attacks, potentially permitting attackers to execute arbitrary binaries.

This function does not sanitize its plugin parameter, so parameter names containing "../" or other such elements may reference arbitrary locations on the filesystem.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2022-0230",
    "review_status": "REVIEWED"
}

References

Affected packages

Go / github.com/containernetworking/cni

Package

Name: github.com/containernetworking/cni; View open source insights on deps.dev
Purl: pkg:golang/github.com/containernetworking/cni

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.8.1

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "DelegateAdd",
                "DelegateCheck",
                "DelegateDel",
                "FindInPath",
                "RawExec.FindInPath"
            ],
            "path": "github.com/containernetworking/cni/pkg/invoke"
        }
    ]
}