GHSA-pp3f-xrw5-q5j4, CVE-2022-41920
go/github.com/duke-git/lancet/v2/fileutil
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Lancet is a general utility library for the go programming language. Affected versions are subject to a ZipSlip issue when using the fileutil package to unzip files. This issue has been addressed and a fix will be included in versions 2.1.10 and 1.3.4. Users are advised to upgrade. There are no known workarounds for this issue.
All versions starting from 1.0.0 before 1.3.4, all versions starting from 2.0.0 before 2.1.10
Upgrade to versions 1.3.4, 2.1.10 or above.
2022-11-22
source |