CVE-2021-23772

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

Published: Dec 24, 2021
Updated: May 9, 2024
CVE: CVE-2021-23772
GHSA: GHSA-jcxc-rh6w-wf49
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-59

Affected Software
References

Software	From	Fixed in
iris-go / iris	-	12.1.8.x
iris-go / iris	12.2.0-alpha	12.2.0-alpha.x
iris-go / iris	12.2.0-alpha2	12.2.0-alpha2.x
iris-go / iris	12.2.0-alpha3	12.2.0-alpha3.x
iris-go / iris	12.2.0-alpha4	12.2.0-alpha4.x
iris-go / iris	12.2.0-alpha5	12.2.0-alpha5.x
github.com/kataras/iris/v12	-	12.2.0-alpha8
github.com/kataras/iris	-	0.0.2.x

https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08
https://pkg.go.dev/vuln/GO-2022-0272
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170

Vulnerability Database

CVE-2021-23772

Deep Security Visibility Without the Complexity