CVE-2019-13915: b3log Wide unauthenticated file access
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.55665%
CWE
Published
5/24/2022
Updated
8/25/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/b3log/wide | go | < 1.6.0 | 1.6.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability describes three attack vectors: ZIP symlink extraction, Git repository symlink imports, and code execution abuse.
- ZIP handling: The
file.handleZipUpload
function likely uses Go'sarchive/zip
without sanitizing filenames or checking for symlinks, enabling path traversal. - Git imports:
git.ImportRepository
would clone repositories without validating symlinks, mirroring the ZIP issue. - Code execution:
playground.CompileAndRun
likely usesos/exec
to run user code without proper sandboxing, allowing file reads via Go code injection. These functions align with the described CWE-59 and CWE-74 patterns and standard Go file-handling pitfalls.