CVE-2021-23772 HIGH

CVE-2021-23772: Arbitrary File Write

Vendor N/A
Product github.com/kataras/iris
Published December 24, 2021
Last update September 16, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

Key dates

02Disclosure timeline

December 24, 2021 CVE published
September 16, 2024 Record updated