CVE-2023-28105

2023-03-1617:15:09

CWE-22

[email protected]

web.nvd.nist.gov

go-used-util

cve-2023-28105

security vulnerability

path traversal

fsutil

zip.unzip

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.4%

JSON

go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use zip.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.

Affected configurations

Vulners

NVD

Node

dablelvgo_huge_utilRange<0.0.34

CPENameOperatorVersion
go-huge-util_project:go-huge-utilgo-huge-util project go-huge-utillt0.0.34

CPE	Name	Operator	Version
go-huge-util_project:go-huge-util	go-huge-util project go-huge-util	lt	0.0.34

CNA Affected

[
  {
    "vendor": "dablelv",
    "product": "go-huge-util",
    "versions": [
      {
        "version": "< 0.0.34",
        "status": "affected"
      }
    ]
  }
]