For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs.
It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue.
WS-2023-0316 - High Severity Vulnerability
Vulnerable Library - github.com/cyphar/filepath-securejoin-v0.2.2
Proposed filepath.SecureJoin implementation
Library home page: https://proxy.golang.org/github.com/cyphar/filepath-securejoin/@v/v0.2.2.zip
Dependency Hierarchy: - github.com/google/cadvisor/container/common-v0.35.0 (Root Library) - github.com/google/cadvisor/container-v0.35.0 - github.com/google/cadvisor/container/docker-v0.35.0 - github.com/google/cadvisor/container/libcontainer-v0.35.0 - github.com/opencontainers/runc-v1.0.0-rc9 - :x: **github.com/cyphar/filepath-securejoin-v0.2.2** (Vulnerable Library)
Found in base branch: master
Vulnerability Details
For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs. It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue.
Publish Date: 2023-09-06
URL: WS-2023-0316
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/cyphar/filepath-securejoin/security/advisories/GHSA-6xv5-86q9-7xr8
Release Date: 2023-09-06
Fix Resolution: v0.2.4
Step up your Open Source Security Game with Mend here