GO-2024-2730
- Source
- https://pkg.go.dev/vuln/GO-2024-2730
- Import Source
- https://vuln.go.dev/ID/GO-2024-2730.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2024-2730
- Related
- Withdrawn
- 2024-04-17T18:06:23Z
- Published
- 2024-04-17T15:34:19Z
- Modified
- 2026-02-04T03:04:31.370995Z
- Summary
- WITHDRAWN: Directory traversal in FilesystemStore in github.com/gorilla/sessions
- Details
-
(This report has been withdrawn on the grounds that it generates too many false positives. Session IDs are documented as not being suitable to hold user-provided data.)
FilesystemStore does not sanitize the Session.ID value, making it vulnerable to directory traversal attacks. If an attacker has control over the contents of the session ID, this can be exploited to write to arbitrary files in the filesystem.
Programs which do not set session IDs explicitly, or which only set session IDs that will not be interpreted by the filesystem, are not vulnerable.
- Database specific
{ "url": "https://pkg.go.dev/vuln/GO-2024-2730", "review_status": "REVIEWED" }- References
Affected packages
Go / github.com/gorilla/sessions
Package
- Name
- github.com/gorilla/sessions
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/gorilla/sessions
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"imports": [
{
"symbols": [
"CookieStore.Get",
"FilesystemStore.Get",
"FilesystemStore.New",
"FilesystemStore.Save",
"FilesystemStore.erase",
"FilesystemStore.load",
"FilesystemStore.save",
"Registry.Get",
"Registry.Save",
"Save",
"Session.Save"
],
"path": "github.com/gorilla/sessions"
}
]
}