CVE-2020-15111

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-15111

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15111.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-15111

Aliases

Withdrawn

2024-05-08T06:50:39.307427Z

Published

2020-07-20T18:15:12Z

Modified

2023-11-28T18:24:20.273710Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment().

References

Affected packages

Git / github.com/gofiber/fiber

Affected ranges

Type: GIT
Repo: https://github.com/gofiber/fiber
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a6d333730881903da4d3e3ef2592c6f9abc7b8e2

Affected versions

v1.*

v1.0.0

v1.10.0

v1.10.5

v1.11.0

v1.11.1

v1.12.0

v1.12.1

v1.12.2

v1.12.3

v1.12.4

v1.12.5

v1.7.1

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.8.41

v1.8.42

v1.8.43

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v1.9.6