For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs.
It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue.
WS-2023-0316 - High Severity Vulnerability
Proposed filepath.SecureJoin implementation
Library home page: https://proxy.golang.org/github.com/cyphar/filepath-securejoin/@v/v0.2.2.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/cyphar/filepath-securejoin/@v/v0.2.2.mod
Dependency Hierarchy: - helm.sh/helm/v3-v3.4.1 (Root Library) - :x: **github.com/cyphar/filepath-securejoin-v0.2.2** (Vulnerable Library)
Found in base branch: main
For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs. It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue.
Publish Date: 2024-11-03
URL: WS-2023-0316
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/cyphar/filepath-securejoin/security/advisories/GHSA-6xv5-86q9-7xr8
Release Date: 2023-09-06
Fix Resolution: v0.2.4