GO-2022-1027

Source

https://pkg.go.dev/vuln/GO-2022-1027

Import Source

https://vuln.go.dev/ID/GO-2022-1027.json

Aliases

Published

2022-10-05T18:02:53Z

Modified

2023-11-08T04:10:22.365620Z

Details

Improper path sanitization on Windows permits path traversal attacks. Static file serving with the Static or StaticFS functions allows an attacker to access files from outside the filesystem root.

This vulnerability does not affect non-Windows systems.

References

Affected packages

Go / github.com/cloudwego/hertz

Package

Name: github.com/cloudwego/hertz

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

0.3.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/cloudwego/hertz/pkg/protocol",
            "symbols": [
                "Cookie.SetPath",
                "Cookie.SetPathBytes",
                "NewRequest",
                "ParseURI",
                "Request.Host",
                "Request.ParseURI",
                "Request.Path",
                "Request.QueryString",
                "Request.SetHost",
                "Request.SetQueryString",
                "Request.URI",
                "URI.Parse",
                "URI.SetPath",
                "URI.SetPathBytes",
                "URI.Update",
                "URI.UpdateBytes",
                "normalizePath"
            ],
            "goos": [
                "windows"
            ]
        }
    ]
}