Vulnerability Details : CVE-2022-41920
Lancet is a general utility library for the go programming language. Affected versions are subject to a ZipSlip issue when using the fileutil package to unzip files. This issue has been addressed and a fix will be included in versions 2.1.10 and 1.3.4. Users are advised to upgrade. There are no known workarounds for this issue.
Vulnerability category: Directory traversal
Products affected by CVE-2022-41920
- cpe:2.3:a:lancet_project:lancet:*:*:*:*:*:go:*:*
- cpe:2.3:a:lancet_project:lancet:*:*:*:*:*:go:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-41920
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-41920
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
6.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
2.8
|
3.4
|
GitHub, Inc. |
CWE ids for CVE-2022-41920
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-41920
-
https://github.com/duke-git/lancet/commit/f869a0a67098e92d24ddd913e188b32404fa72c9
fix: issue#62: fix ZipSlip bug · duke-git/lancet@f869a0a · GitHubPatch;Third Party Advisory
-
https://github.com/duke-git/lancet/commit/f133b32faa05eb93e66175d01827afa4b7094572
fix: issue#62: fix ZipSlip bug · duke-git/lancet@f133b32 · GitHubPatch;Third Party Advisory
-
https://github.com/duke-git/lancet/issues/62
How to get in touch regarding a security concern? · Issue #62 · duke-git/lancet · GitHubIssue Tracking;Third Party Advisory
-
https://github.com/duke-git/lancet/security/advisories/GHSA-pp3f-xrw5-q5j4
ZipSlip issue when unzip files · Advisory · duke-git/lancet · GitHubExploit;Third Party Advisory
Jump to