GoogleOSV:GHSA-PP3F-XRW5-Q5J4Lancet vulnerable to path traversal when unzipping files
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
59.0%
Impact
What kind of vulnerability is it? Who is impacted?
ZipSlip issue when use fileutil package to unzip files.
Patches
Has the problem been patched? What versions should users upgrade to?
It will fixed in v2.1.10, Please upgrade version to v2.1.10 or above.
Users who use v1.x.x should upgrade v1.3.4 or above.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No, users have to upgrade version.
References
github.com/duke-git/lancet
github.com/duke-git/lancet/commit/f133b32faa05eb93e66175d01827afa4b7094572
github.com/duke-git/lancet/commit/f869a0a67098e92d24ddd913e188b32404fa72c9
github.com/duke-git/lancet/issues/62
github.com/duke-git/lancet/security/advisories/GHSA-pp3f-xrw5-q5j4
nvd.nist.gov/vuln/detail/CVE-2022-41920
pkg.go.dev/vuln/GO-2022-1114
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
59.0%