Lucene search

GoogleOSV:CVE-2022-41920

HistoryNov 17, 2022 - 6:15 p.m.

CVE-2022-41920

2022-11-1718:15:10

Google

osv.dev

lancet

go language

zipslip

fileutil

upgrade

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.002

Percentile

59.0%

JSON

Lancet is a general utility library for the go programming language. Affected versions are subject to a ZipSlip issue when using the fileutil package to unzip files. This issue has been addressed and a fix will be included in versions 2.1.10 and 1.3.4. Users are advised to upgrade. There are no known workarounds for this issue.

References

github.com/duke-git/lancet/commit/f133b32faa05eb93e66175d01827afa4b7094572

github.com/duke-git/lancet/commit/f869a0a67098e92d24ddd913e188b32404fa72c9

github.com/duke-git/lancet/issues/62

github.com/duke-git/lancet/security/advisories/GHSA-pp3f-xrw5-q5j4

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.002

Percentile

59.0%

JSON

Related for OSV:CVE-2022-41920