Headline
GHSA-fx2v-qfhr-4chv: Goutil vulnerable to path traversal when unzipping files
Impact
ZipSlip issue when use fsutil package to unzip files. When users use fsutil.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal.
Patches
It has been fixed in v0.6.0, Please upgrade version to v0.6.0 or above.
Workarounds
No, users have to upgrade version.
Package
gomod github.com/gookit/goutil (Go)
Affected versions
< 0.6.0
Patched versions
0.6.0
Description
Impact
ZipSlip issue when use fsutil package to unzip files.
When users use fsutil.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal.
Patches
It has been fixed in v0.6.0, Please upgrade version to v0.6.0 or above.
Workarounds
No, users have to upgrade version.
References
- GHSA-fx2v-qfhr-4chv
- https://nvd.nist.gov/vuln/detail/CVE-2023-27475
- gookit/goutil@d7b94fe
inhere published to gookit/goutil
Mar 7, 2023
Published by the National Vulnerability Database
Mar 7, 2023
Published to the GitHub Advisory Database
Mar 7, 2023
Reviewed
Mar 7, 2023
Last updated
Mar 7, 2023
Related news
Goutil is a collection of miscellaneous functionality for the go language. In versions prior to 0.6.0 when users use fsutil.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. This vulnerability is known as a ZipSlip. This issue has been fixed in version 0.6.0, users are advised to upgrade. There are no known workarounds for this issue.