CVE-2022-41920 MEDIUM

CVE-2022-41920: Zip slip in Lancet

Vendor Duke-Git
Product lancet
Weakness CWE-22 · Path traversal
Published November 17, 2022
Last update April 22, 2025

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Lancet is a general utility library for the go programming language. Affected versions are subject to a ZipSlip issue when using the fileutil package to unzip files. This issue has been addressed and a fix will be included in versions 2.1.10 and 1.3.4. Users are advised to upgrade. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

November 17, 2022 CVE published
April 22, 2025 Record updated