CVE-2021-23772
Directory traversal in github.com/kataras/iris and github.com/kataras/iris/v12
7.5
HIGH
CVSS 3.1
EPSS 0.88%
Description
The Context.UploadFormFiles function is vulnerable to directory traversal attacks, and can be made to write to arbitrary locations outside the destination directory. This vulnerability only occurs when built with Go versions prior to 1.17. Go 1.17 and later strip directory paths from filenames returned by "mime/multipart".Part.FileName, which avoids this issue.
How to fix CVE-2021-23772
To remediate CVE-2021-23772, upgrade the affected package to a fixed version below.
- —no fix listed
- —no fix listed
- —upgrade to 12.2.0-alpha8 or later
- —upgrade to 12.2.0-alpha8 or later
Is CVE-2021-23772 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, <= 0.0.2
- from 0
- from 0, < 12.2.0-alpha8
- from 0, < 12.2.0-alpha8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |