Arbitrary File Write
CVE-2021-23772

7.5HIGH

Key Information:

Vendor: Iris-go
Status: Github.com/kataras/iris; Github.com/kataras/iris/v12
Vendor: CVE Published:; 24 December 2021

What is CVE-2021-23772?

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

Affected Version(s)

github.com/kataras/iris 0

github.com/kataras/iris/v12 0

References

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-232...

x_refsource_MISC

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-...

x_refsource_MISC

https://github.com/kataras/iris/commit/e213dba0d32ff66653...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 24, 2021
Vulnerability Reserved
Jan 8, 2021

Credit

Snyk Security Team

JSON

Iris-go

What is CVE-2021-23772?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit