GO-2022-0272

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0272

Import Source

https://vuln.go.dev/ID/GO-2022-0272.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0272

Aliases

Published

2022-07-15T23:08:12Z

Modified

2025-01-14T09:12:23.966394Z

Summary

Directory traversal in github.com/kataras/iris and github.com/kataras/iris/v12

Details

The Context.UploadFormFiles function is vulnerable to directory traversal attacks, and can be made to write to arbitrary locations outside the destination directory.

This vulnerability only occurs when built with Go versions prior to 1.17. Go 1.17 and later strip directory paths from filenames returned by "mime/multipart".Part.FileName, which avoids this issue.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0272"
}

References

Credits

- Snyk Security Team

Affected packages

Go / github.com/kataras/iris/v12

Package

Name: github.com/kataras/iris/v12; View open source insights on deps.dev
Purl: pkg:golang/github.com/kataras/iris/v12

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.2.0-alpha8

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/kataras/iris/v12/context",
            "symbols": [
                "Context.UploadFormFiles"
            ]
        }
    ]
}

Go / github.com/kataras/iris

Package

Name: github.com/kataras/iris; View open source insights on deps.dev
Purl: pkg:golang/github.com/kataras/iris

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/kataras/iris/context",
            "symbols": [
                "Context.UploadFormFiles"
            ]
        }
    ]
}