Headline
GHSA-5g39-ppwg-6xx8: Go-huge-util vulnerable to path traversal when unzipping files
Impact ZipSlip issue when use fsutil package to unzip files. When users use zip.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal.
Patches It has been fixed in v0.0.34, Please upgrade version to v0.0.34 or above.
Workarounds No, users have to upgrade version.
References
Package
gomod github.com/dablelv/go-huge-util/zip (Go)
Affected versions
< 0.0.34
Patched versions
0.0.34
Description
Impact
ZipSlip issue when use fsutil package to unzip files.
When users use zip.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal.
Patches
It has been fixed in v0.0.34, Please upgrade version to v0.0.34 or above.
Workarounds
No, users have to upgrade version.
References
References
- GHSA-5g39-ppwg-6xx8
- https://nvd.nist.gov/vuln/detail/CVE-2023-28105
- dablelv/go-huge-util@0e308b0
dablelv published to dablelv/go-huge-util
Mar 16, 2023
Published by the National Vulnerability Database
Mar 16, 2023
Published to the GitHub Advisory Database
Mar 16, 2023
Reviewed
Mar 16, 2023
Last updated
Mar 16, 2023
Related news
go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.