Lucene search

[email protected]NVD:CVE-2022-41920

HistoryNov 17, 2022 - 6:15 p.m.

CVE-2022-41920

2022-11-1718:15:10

CWE-22

[email protected]

web.nvd.nist.gov

lancet library

zipslip issue

fileutil package

upgrade

zipslip vulnerability fix

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

59.0%

JSON

Lancet is a general utility library for the go programming language. Affected versions are subject to a ZipSlip issue when using the fileutil package to unzip files. This issue has been addressed and a fix will be included in versions 2.1.10 and 1.3.4. Users are advised to upgrade. There are no known workarounds for this issue.

Affected configurations

Nvd

Node

lancet_projectlancetRange<1.3.4go

lancet_projectlancetRange2.0.0–2.1.10go

VendorProductVersionCPE
lancet_projectlancet*cpe:2.3:a:lancet_project:lancet:*:*:*:*:*:go:*:*

Vendor	Product	Version	CPE
lancet_project	lancet	*	cpe:2.3:a:lancet_project:lancet::::::go::*

References

github.com/duke-git/lancet/commit/f133b32faa05eb93e66175d01827afa4b7094572

github.com/duke-git/lancet/commit/f869a0a67098e92d24ddd913e188b32404fa72c9

github.com/duke-git/lancet/issues/62

github.com/duke-git/lancet/security/advisories/GHSA-pp3f-xrw5-q5j4

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

59.0%

JSON

Related for NVD:CVE-2022-41920

prion1 osv3 veracode1 cvelist1 github1 cve1