CVE-2023-28105 - Vulnerability Details - OpenCVE

go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00088.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Go-huge-util Project	Go-huge-util

Configuration 1 [-]

cpe:2.3:a:go-huge-util_project:go-huge-util:*:*:*:*:*:go:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-0883	go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.
Github GHSA	GHSA-5g39-ppwg-6xx8	Go-huge-util vulnerable to path traversal when unzipping files

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b
https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8

History

Tue, 25 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-03-16T16:26:34.669Z

Updated: 2025-02-25T14:55:23.289Z

Reserved: 2023-03-10T18:34:29.226Z

Link: CVE-2023-28105

Vulnrichment

Updated: 2024-08-02T12:30:24.133Z

NVD

Status : Modified

Published: 2023-03-16T17:15:09.483

Modified: 2024-11-21T07:54:24.847

Link: CVE-2023-28105

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28105", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-10T18:34:29.226Z", "datePublished": "2023-03-16T16:26:34.669Z", "dateUpdated": "2025-02-25T14:55:23.289Z"}, "containers": {"cna": {"title": "Go-huge-util vulnerable to path traversal when unzipping files", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8"}, {"name": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b", "tags": ["x_refsource_MISC"], "url": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b"}], "affected": [{"vendor": "dablelv", "product": "go-huge-util", "versions": [{"version": "< 0.0.34", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-16T16:26:34.669Z"}, "descriptions": [{"lang": "en", "value": "go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds."}], "source": {"advisory": "GHSA-5g39-ppwg-6xx8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:30:24.133Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8"}, {"name": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-25T14:29:17.236839Z", "id": "CVE-2023-28105", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:55:23.289Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8", "name": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b", "name": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:30:24.133Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-28105", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-25T14:29:17.236839Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:29:18.772Z"}}], "cna": {"title": "Go-huge-util vulnerable to path traversal when unzipping files", "source": {"advisory": "GHSA-5g39-ppwg-6xx8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "dablelv", "product": "go-huge-util", "versions": [{"status": "affected", "version": "< 0.0.34"}]}], "references": [{"url": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8", "name": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b", "name": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-16T16:26:34.669Z"}}}, "cveMetadata": {"cveId": "CVE-2023-28105", "state": "PUBLISHED", "dateUpdated": "2025-02-25T14:55:23.289Z", "dateReserved": "2023-03-10T18:34:29.226Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-03-16T16:26:34.669Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:go-huge-util_project:go-huge-util:*:*:*:*:*:go:*:*", "matchCriteriaId": "58D7A018-81A2-441C-AAA7-220C71A59A01", "versionEndExcluding": "0.0.34", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds."}], "id": "CVE-2023-28105", "lastModified": "2024-11-21T07:54:24.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-16T17:15:09.483", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}