{"id":"GO-2023-1713","summary":"Path traversal in github.com/sjqzhang/go-fastdfs","details":"An attacker can craft a remote request to upload a file to \"/group1/upload\" that uses path traversal to instead write the file contents to an attacker controlled path on the server.","aliases":["CVE-2023-1800","GHSA-xq3x-grrj-fj6x"],"modified":"2024-05-20T16:03:47Z","published":"2023-04-12T21:45:55Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2023-1713","review_status":"REVIEWED"},"references":[{"type":"WEB","url":"https://github.com/yangyanglo/ForCVE/blob/93a16663cd32a36d37d8a0f0102e1592254d0279/2023-0x05.md"},{"type":"WEB","url":"https://vuldb.com/?ctiid.224768"},{"type":"WEB","url":"https://vuldb.com/?id.224768"},{"type":"FIX","url":"https://github.com/sjqzhang/go-fastdfs/commit/61cbff5124c61e292994099372b11c06cdb5b80b"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-xq3x-grrj-fj6x"}],"affected":[{"package":{"name":"github.com/sjqzhang/go-fastdfs","ecosystem":"Go","purl":"pkg:golang/github.com/sjqzhang/go-fastdfs"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.4.5-0.20230408141131-61cbff5124c6"}]}],"ecosystem_specific":{"imports":[{"symbols":["HttpHandler.ServeHTTP","Server.ConsumerUpload","Server.CrossOrigin","Server.Download","Server.DownloadNormalFileByURI","Server.Start","Server.Upload","Server.upload","Start"],"path":"github.com/sjqzhang/go-fastdfs/server"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-1713.json"}}],"schema_version":"1.7.3"}