GO-2022-0470
- Source
- https://pkg.go.dev/vuln/GO-2022-0470
- Import Source
- https://vuln.go.dev/ID/GO-2022-0470.json
- Aliases
- Published
- 2022-07-15T23:29:55Z
- Modified
- 2023-11-08T04:09:22.905215Z
- Details
-
HTTP handlers provide unauthenticated access to the local filesystem.
The Bleve http package is intended for demonstration purposes and contains no authentication, authorization, or validation of user inputs. Exposing handlers from this package can permit attackers to create files and delete directories.
- References
Affected packages
Go / github.com/blevesearch/bleve
Package
Ecosystem specific
{
"imports": [
{
"path": "github.com/blevesearch/bleve/http",
"symbols": [
"AliasHandler.ServeHTTP",
"CreateIndexHandler.ServeHTTP",
"DebugDocumentHandler.ServeHTTP",
"DeleteIndexHandler.ServeHTTP",
"DocCountHandler.ServeHTTP",
"DocDeleteHandler.ServeHTTP",
"DocGetHandler.ServeHTTP",
"DocIndexHandler.ServeHTTP",
"GetIndexHandler.ServeHTTP",
"ListFieldsHandler.ServeHTTP",
"SearchHandler.ServeHTTP"
]
}
]
}
Go / github.com/blevesearch/bleve/v2
Package
Ecosystem specific
{
"imports": [
{
"path": "github.com/blevesearch/bleve/v2/http",
"symbols": [
"AliasHandler.ServeHTTP",
"CreateIndexHandler.ServeHTTP",
"DebugDocumentHandler.ServeHTTP",
"DeleteIndexHandler.ServeHTTP",
"DocCountHandler.ServeHTTP",
"DocDeleteHandler.ServeHTTP",
"DocGetHandler.ServeHTTP",
"DocIndexHandler.ServeHTTP",
"GetIndexHandler.ServeHTTP",
"ListFieldsHandler.ServeHTTP",
"SearchHandler.ServeHTTP"
]
}
]
}