GO-2022-0272

Source
https://pkg.go.dev/vuln/GO-2022-0272
Import Source
https://vuln.go.dev/ID/GO-2022-0272.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0272
Aliases
Published
2022-07-15T23:08:12Z
Modified
2025-01-14T09:12:23.966394Z
Summary
Directory traversal in github.com/kataras/iris and github.com/kataras/iris/v12
Details

The Context.UploadFormFiles function is vulnerable to directory traversal attacks, and can be made to write to arbitrary locations outside the destination directory.

This vulnerability only occurs when built with Go versions prior to 1.17. Go 1.17 and later strip directory paths from filenames returned by "mime/multipart".Part.FileName, which avoids this issue.

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0272"
}
References
Credits
    • Snyk Security Team

Affected packages

Go / github.com/kataras/iris/v12

Package

Name
github.com/kataras/iris/v12
View open source insights on deps.dev
Purl
pkg:golang/github.com/kataras/iris/v12

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
12.2.0-alpha8

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/kataras/iris/v12/context",
            "symbols": [
                "Context.UploadFormFiles"
            ]
        }
    ]
}

Go / github.com/kataras/iris

Package

Name
github.com/kataras/iris
View open source insights on deps.dev
Purl
pkg:golang/github.com/kataras/iris

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/kataras/iris/context",
            "symbols": [
                "Context.UploadFormFiles"
            ]
        }
    ]
}