Lucene search

GitHub_MCVELIST:CVE-2022-41920

HistoryNov 17, 2022 - 12:00 a.m.

CVE-2022-41920 Zip slip in Lancet

2022-11-1700:00:00

CWE-22

GitHub_M

www.cve.org

lancet

utility library

go programming language

zipslip issue

fileutil package

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

8.8

Confidence

High

EPSS

0.002

Percentile

59.0%

JSON

Lancet is a general utility library for the go programming language. Affected versions are subject to a ZipSlip issue when using the fileutil package to unzip files. This issue has been addressed and a fix will be included in versions 2.1.10 and 1.3.4. Users are advised to upgrade. There are no known workarounds for this issue.

CNA Affected

[
  {
    "vendor": "duke-git",
    "product": "lancet",
    "versions": [
      {
        "version": "< 1.3.4",
        "status": "affected"
      },
      {
        "version": ">= 2.0.0, < 2.1.10",
        "status": "affected"
      }
    ]
  }
]

References

github.com/duke-git/lancet/commit/f133b32faa05eb93e66175d01827afa4b7094572

github.com/duke-git/lancet/commit/f869a0a67098e92d24ddd913e188b32404fa72c9

github.com/duke-git/lancet/issues/62

github.com/duke-git/lancet/security/advisories/GHSA-pp3f-xrw5-q5j4