QwikSec

Security Database

CVE

CWE

Training

CVE-2022-21221

Published: Mar 17, 2022

Modified: Sep 16, 2024

PUBLISHED

CVSS v3.1

5.9

MEDIUM

Description

The package github.com/valyala/fasthttp before 1.34.0 are vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path. **Note:** This security issue impacts Windows users only.

Vendor	Product	Versions
n/a	github.com/valyala/fasthttp	affected `unspecified - < 1.34.0`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866

x_refsource_MISC

https://github.com/valyala/fasthttp/issues/1226

x_refsource_MISC

https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1

x_refsource_MISC

https://github.com/valyala/fasthttp/commit/15262ecf3c602364639d465daba1e7f3604d00e8

x_refsource_MISC

https://github.com/valyala/fasthttp/releases/tag/v1.34.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.