Miggo Logo

CVE-2020-26283: Control character injection in console output in github.com/ipfs/go-ipfs

6.8

CVSS Score
3.1

Basic Information

EPSS Score
0.74041%
Published
6/23/2021
Updated
1/9/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/ipfs/go-ipfsgo< 0.8.00.8.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped control characters in CLI output across multiple command handlers. The GitHub commit diff shows these functions were modified to add EscNonPrint escaping, indicating they previously output user-controlled data without proper sanitization. Each identified function handles user-provided strings (filenames, paths, keys, etc.) and directly passed them to output functions like fmt.Fprintf without escaping, enabling control character injection. The high confidence comes from explicit patching evidence in the commit where escaping was added to these specific output locations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ontrol ***r**t*rs *r* not *s**p** *rom *onsol* output. T*is **n r*sult in *i*in* input *rom t** us*r w*i** *oul* r*sult in t** us*r t*kin* *n unknown, m*li*ious **tion. ### P*t***s <!-- _**s t** pro*l*m ***n p*t****? W**t v*rsions s*oul*

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** *ontrol ***r**t*rs in *LI output **ross multipl* *omm*n* **n*l*rs. T** *it*u* *ommit *i** s*ows t**s* `*un*tions` w*r* mo*i*i** to *** `*s*NonPrint` *s**pin*, in*i**tin* t**y pr*viously output us*r-*ontroll** **