GO-2024-2616

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2024-2616

Import Source

https://vuln.go.dev/ID/GO-2024-2616.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2024-2616

Aliases

Published

2024-03-11T20:09:34Z

Modified

2024-05-20T16:03:47Z

Summary

Path traversal and user privilege escalation in github.com/IceWhaleTech/CasaOS-UserService

Details

The UserService API contains a path traversal vulnerability that allows an attacker to obtain any file on the system, including the user database and system configuration. This can lead to privilege escalation and compromise of the system.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2024-2616"
}

References

Credits

- Cp0204

Affected packages

Go / github.com/IceWhaleTech/CasaOS-UserService

Package

Name: github.com/IceWhaleTech/CasaOS-UserService; View open source insights on deps.dev
Purl: pkg:golang/github.com/IceWhaleTech/CasaOS-UserService

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.7

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/IceWhaleTech/CasaOS-UserService/route/v1",
            "symbols": [
                "GetUserImage"
            ]
        }
    ]
}