For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs.
It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue.
WS-2023-0316 - High Severity Vulnerability
Proposed filepath.SecureJoin implementation
Library home page: https://proxy.golang.org/github.com/cyphar/filepath-securejoin/@v/v0.2.1.zip
Dependency Hierarchy: - :x: **github.com/cyphar/filepath-securejoin-v0.2.1** (Vulnerable Library)
Found in HEAD commit: cd87321da747fd23c6285641b10b0432943dfed6
Found in base branch: master
For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs. It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue.
Publish Date: 2023-09-06
URL: WS-2023-0316
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/cyphar/filepath-securejoin/security/advisories/GHSA-6xv5-86q9-7xr8
Release Date: 2023-09-06
Fix Resolution: v0.2.4
Step up your Open Source Security Game with Mend here