Miggo Logo
Miggo Vulnerability Database
CVE-2022-41920

CVE-2022-41920: Lancet vulnerable to path traversal when unzipping files

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-41920
GHSA ID
GHSA-pp3f-xrw5-q5j4
EPSS Score
0.2932%
CWE
CWE-22
Published
11/21/2022
Updated
8/29/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/duke-git/lancet/v2go>= 2.0.0, < 2.1.102.1.10
github.com/duke-git/lancetgo< 1.3.41.3.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability explicitly mentions 'ZipSlip when unzipping files' in fileutil package
  2. Commit diff shows the vulnerability was in UnZip function's path construction logic
  3. Pre-patch code used direct filepath.Join() without validation
  4. The patch introduces safeFilepathJoin to prevent path traversal
  5. Go vulnerability database (GO-2022-1114) specifically lists UnZip as affected symbol
  6. CWE-22 classification matches the ZipSlip pattern of improper path limitation

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ ZipSlip issu* w**n us* *il*util p**k*** to unzip *il*s. ### P*t***s _**s t** pro*l*m ***n p*t****? W**t v*rsions s*oul* us*rs up*r*** to?_ It will *ix** in v*.*.**, Pl**s* up*r*** v*r

Reasoning

*. T** vuln*r**ility *xpli*itly m*ntions 'ZipSlip w**n unzippin* *il*s' in *il*util p**k*** *. *ommit *i** s*ows t** vuln*r**ility w*s in UnZip *un*tion's p*t* *onstru*tion lo*i* *. Pr*-p*t** *o** us** *ir**t *il*p*t*.Join() wit*out v*li**tion *. T**
CVE-2022-41920: Lancet Unzip Path Trav Flaw | Miggo