GO-2022-0230

Source
https://pkg.go.dev/vuln/GO-2022-0230
Import Source
https://vuln.go.dev/ID/GO-2022-0230.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0230
Aliases
Published
2022-07-01T20:17:57Z
Modified
2024-09-03T06:42:01.772076Z
Summary
Improper limitation of path name in github.com/containernetworking/cni
Details

The FindInPath function is vulnerable to directory traversal attacks, potentially permitting attackers to execute arbitrary binaries.

This function does not sanitize its plugin parameter, so parameter names containing "../" or other such elements may reference arbitrary locations on the filesystem.

References

Affected packages

Go / github.com/containernetworking/cni

Package

Name
github.com/containernetworking/cni
View open source insights on deps.dev
Purl
pkg:golang/github.com/containernetworking/cni

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.8.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/containernetworking/cni/pkg/invoke",
            "symbols": [
                "DelegateAdd",
                "DelegateCheck",
                "DelegateDel",
                "FindInPath",
                "RawExec.FindInPath"
            ]
        }
    ]
}