Vulnerability

CVE-2021-23772

Report advisory or correction

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-59

References

https://github.com/advisories/GHSA-jcxc-rh6w-wf49

https://github.com/kataras/iris/blob/master/HISTORY.md#fixes-and-improvements

https://www.tenable.com/cve/CVE-2021-23772

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23772

[CVE-2021-23772] CWE-59: Improper Link Resolution Before File Access ('Link Following')

Description

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

See github.com/kataras/iris/v12 package information