8.8
CVE-2022-41920
- EPSS 0.79%
- Veröffentlicht 17.11.2022 18:15:10
- Zuletzt bearbeitet 21.11.2024 07:24:04
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginZip slip in Lancet
Lancet is a general utility library for the go programming language. Affected versions are subject to a ZipSlip issue when using the fileutil package to unzip files. This issue has been addressed and a fix will be included in versions 2.1.10 and 1.3.4. Users are advised to upgrade. There are no known workarounds for this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Lancet Project ≫ Lancet SwPlatformgo Version < 1.3.4
Lancet Project ≫ Lancet SwPlatformgo Version >= 2.0.0 < 2.1.10
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.79% | 0.515 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 6.3 | 2.8 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
https://github.com/duke-git/lancet/commit/f133b32faa05eb93e66175d01827afa4b7094572
https://github.com/duke-git/lancet/commit/f869a0a67098e92d24ddd913e188b32404fa72c9
https://github.com/duke-git/lancet/issues/62
https://github.com/duke-git/lancet/security/advisories/GHSA-pp3f-xrw5-q5j4