CVE-2023-28105 – github.com/dablelv/go-huge-util

Package

Manager: go
Name: github.com/dablelv/go-huge-util
Vulnerable Version: >=0 <0.0.34

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00088 pctl0.26072

Details

Go-huge-util vulnerable to path traversal when unzipping files Impact ZipSlip issue when use fsutil package to unzip files. When users use zip.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. Patches It has been fixed in v0.0.34, Please upgrade version to v0.0.34 or above. Workarounds No, users have to upgrade version. Specific Go Packages Affected github.com/dablelv/go-huge-util/zip References

Metadata

Created: 2023-03-16T18:32:38Z
Modified: 2023-10-02T10:43:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-5g39-ppwg-6xx8/GHSA-5g39-ppwg-6xx8.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-5g39-ppwg-6xx8
Finding: F063
Auto approve: 1