Lucene search

GitHub_MCVELIST:CVE-2023-28105

HistoryMar 16, 2023 - 4:26 p.m.

CVE-2023-28105 Go-huge-util vulnerable to path traversal when unzipping files

2023-03-1616:26:34

CWE-22

GitHub_M

www.cve.org

go-huge-util

path traversal

zip.unzip

vulnerability

fsutil package

malicious attacker

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.4%

JSON

go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use zip.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.

CNA Affected

[
  {
    "vendor": "dablelv",
    "product": "go-huge-util",
    "versions": [
      {
        "version": "< 0.0.34",
        "status": "affected"
      }
    ]
  }
]

References

github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b

github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8