Arbitrary File Read Affecting github.com/sensepost/gowitness/cmd package, versions <2.3.6


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.14% (50th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary File Read vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMSENSEPOSTGOWITNESSCMD-1303094
  • published10 Jun 2021
  • disclosed10 Jun 2021
  • creditUnknown

Introduced: 10 Jun 2021

CVE-2021-33359  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade github.com/sensepost/gowitness/cmd to version 2.3.6 or higher.

Overview

github.com/sensepost/gowitness/cmd is an A golang, web screenshot utility using Chrome Headless.

Affected versions of this package are vulnerable to Arbitrary File Read. A vulnerability exists in gowitness that allows an unauthenticated attacker to perform an arbitrary file read using the file:// scheme in the url parameter to get an image of any file.

CVSS Scores

version 3.1