Bug 2036051 (CVE-2021-23772)

Summary: CVE-2021-23772 kataras/iris: unsafe handling of file names during upload using UploadFormFiles method may allow attackers to write to arbitrary locations outside the designated target folder
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caswilli, gparvin, kaycoth, njean, pahickey, stcannon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: iris-12.2.0-alpha8 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Iris Web Framework, where the UploadFormFiles method unsafely handles file names during upload. This flaw allows an attacker to write in arbitrary locations outside the designated target folder.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2043241    
Bug Blocks: 2036052    

Description Guilherme de Almeida Suckevicz 2021-12-29 13:42:52 UTC 
This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

References:
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170

Upstream patch:
https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08
Comment 1 lnacshon 2021-12-29 14:51:19 UTC 
The following services are using iris-v12 as stated the version v12 is affected and a patch published