CVE-2023-28105 - OpenCVE

go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Go-huge-util Project	Go-huge-util

Configuration 1 [-]

cpe:2.3:a:go-huge-util_project:go-huge-util:*:*:*:*:*:go:*:*

No data.

References

Link	Providers
https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b
https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-03-16T16:26:34.669Z

Updated: 2024-08-02T12:30:24.133Z

Reserved: 2023-03-10T18:34:29.226Z

Link: CVE-2023-28105

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-03-16T17:15:09.483

Modified: 2023-03-23T13:59:56.927

Link: CVE-2023-28105

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28105", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-10T18:34:29.226Z", "datePublished": "2023-03-16T16:26:34.669Z", "dateUpdated": "2024-08-02T12:30:24.133Z"}, "containers": {"cna": {"title": "Go-huge-util vulnerable to path traversal when unzipping files", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8"}, {"name": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b", "tags": ["x_refsource_MISC"], "url": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b"}], "affected": [{"vendor": "dablelv", "product": "go-huge-util", "versions": [{"version": "< 0.0.34", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-16T16:26:34.669Z"}, "descriptions": [{"lang": "en", "value": "go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds."}], "source": {"advisory": "GHSA-5g39-ppwg-6xx8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:30:24.133Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8"}, {"name": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:go-huge-util_project:go-huge-util:*:*:*:*:*:go:*:*", "matchCriteriaId": "58D7A018-81A2-441C-AAA7-220C71A59A01", "versionEndExcluding": "0.0.34", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds."}], "id": "CVE-2023-28105", "lastModified": "2023-03-23T13:59:56.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-03-16T17:15:09.483", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dablelv/go-huge-util/commit/0e308b0fac8973e6fa251b0ab095cdc5c1c0956b"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/dablelv/go-huge-util/security/advisories/GHSA-5g39-ppwg-6xx8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}