Bug 2036051 (CVE-2021-23772)
Summary: | CVE-2021-23772 kataras/iris: unsafe handling of file names during upload using UploadFormFiles method may allow attackers to write to arbitrary locations outside the designated target folder | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | caswilli, gparvin, kaycoth, njean, pahickey, stcannon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | iris-12.2.0-alpha8 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the Iris Web Framework, where the UploadFormFiles method unsafely handles file names during upload. This flaw allows an attacker to write in arbitrary locations outside the designated target folder.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2043241 | ||
Bug Blocks: | 2036052 |
Description
Guilherme de Almeida Suckevicz
2021-12-29 13:42:52 UTC
The following services are using iris-v12 as stated the version v12 is affected and a patch published |