GO-2022-0272 Directory traversal in github.com/kataras/iris and github.com/kataras/iris/v12

The Context.UploadFormFiles function is vulnerable to directory traversal attacks, and can be made to write to arbitrary locations outside the destination directory. This vulnerability only occurs when built with Go versions prior to 1.17. Go 1.17 and later strip directory paths from filenames...

GHSA-JCXC-RH6W-WF49 Link Following in Iris

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder...

Link Following in Iris

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder...

Directory Traversal

github.com/kataras/iris is vulnerable to directory traversal. A malicious user is able to write to arbitrary locations using UploadFormFiles method in context file due to improper parsing of file paths...

Design/Logic Flaw

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder...

CVE-2021-23772

CVE-2021-23772 affects all versions of github.com/kataras/iris and iris/v12, due to unsafe handling of filenames in UploadFormFiles that can allow writing to arbitrary locations outside the target folder. Multiple sources (Red Hat, SUSE, OSV, CVE listings) consistently describe a directory-traver...

CVE-2021-23772 Arbitrary File Write

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder...