CVE-2022-41920

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go/github.com/duke-git/lancet/v2/fileutil

Identifiers

GHSA-pp3f-xrw5-q5j4, CVE-2022-41920

Package Slug

go/github.com/duke-git/lancet/v2/fileutil

Vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Description

Lancet is a general utility library for the go programming language. Affected versions are subject to a ZipSlip issue when using the fileutil package to unzip files. This issue has been addressed and a fix will be included in versions 2.1.10 and 1.3.4. Users are advised to upgrade. There are no known workarounds for this issue.

Affected Versions

All versions starting from 1.0.0 before 1.3.4, all versions starting from 2.0.0 before 2.1.10

Solution

Upgrade to versions 1.3.4, 2.1.10 or above.

Last Modified

2022-11-22

source