Bug 2036051 (CVE-2021-23772) - CVE-2021-23772 kataras/iris: unsafe handling of file names during upload using UploadFormFiles method may allow attackers to write to arbitrary locations outside the designated target folder
Summary: CVE-2021-23772 kataras/iris: unsafe handling of file names during upload usin...
Keywords:
Status: NEW
Alias: CVE-2021-23772
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2043241
Blocks: 2036052
TreeView+ depends on / blocked
 
Reported: 2021-12-29 13:42 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-10-25 17:21 UTC (History)
6 users (show)

Fixed In Version: iris-12.2.0-alpha8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Iris Web Framework, where the UploadFormFiles method unsafely handles file names during upload. This flaw allows an attacker to write in arbitrary locations outside the designated target folder.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-12-29 13:42:52 UTC 
This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

References:
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170

Upstream patch:
https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08
Comment 1 lnacshon 2021-12-29 14:51:19 UTC 
The following services are using iris-v12 as stated the version v12 is affected and a patch published
Note You need to log in before you can comment on or make changes to this bug.