{"id":"GHSA-jcxc-rh6w-wf49","summary":"Link Following in Iris","details":"This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.","aliases":["CVE-2021-23772","GO-2022-0272"],"modified":"2025-01-14T09:12:23.966394Z","published":"2022-01-06T21:36:19Z","database_specific":{"nvd_published_at":"2021-12-24T12:15:00Z","github_reviewed":true,"severity":"HIGH","cwe_ids":["CWE-59"],"github_reviewed_at":"2022-01-05T18:09:47Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23772"},{"type":"WEB","url":"https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08"},{"type":"PACKAGE","url":"https://github.com/kataras/iris"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2022-0272"},{"type":"WEB","url":"https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169"},{"type":"WEB","url":"https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170"}],"affected":[{"package":{"name":"github.com/kataras/iris/v12","ecosystem":"Go","purl":"pkg:golang/github.com/kataras/iris/v12"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"12.2.0-alpha8"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-jcxc-rh6w-wf49/GHSA-jcxc-rh6w-wf49.json"}},{"package":{"name":"github.com/kataras/iris","ecosystem":"Go","purl":"pkg:golang/github.com/kataras/iris"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"last_affected":"0.0.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-jcxc-rh6w-wf49/GHSA-jcxc-rh6w-wf49.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}