CVE-2021-23772

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.
Link Following
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
snykCNA
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
VendorProductVersion
iris-goiris
𝑥
≤ 12.1.8
iris-goiris
12.2.0:alpha
iris-goiris
12.2.0:alpha2
iris-goiris
12.2.0:alpha3
iris-goiris
12.2.0:alpha4
iris-goiris
12.2.0:alpha5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170
https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170