CVE Vulnerability

CVE-2022-41920

Lancet is a general utility library for the go programming language. Affected versions are subject to a ZipSlip issue when using the fileutil package to unzip files. This issue has been addressed and a fix will be included in versions 2.1.10 and 1.3.4. Users are advised to upgrade. There are no known workarounds for this issue.

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/duke-git/lancet/issues/62 Issue Tracking Third Party Advisory
https://github.com/duke-git/lancet/commit/f869a0a67098e92d24ddd913e188b32404fa72c9 Patch Third Party Advisory
https://github.com/duke-git/lancet/commit/f133b32faa05eb93e66175d01827afa4b7094572 Patch Third Party Advisory
https://github.com/duke-git/lancet/security/advisories/GHSA-pp3f-xrw5-q5j4 Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:lancet_project:lancet:*:*:*:*:*:go:*:*
cpe:2.3:a:lancet_project:lancet:*:*:*:*:*:go:*:*
Information

Published : 2022-11-17 06:15

Updated : 2022-11-22 07:09

NVD link : CVE-2022-41920

Mitre link : CVE-2022-41920

Products Affected
No products.
CWE
CWE-22