CVE-2021-23772

HIGH

iris-go/iris and kataras/iris - Arbitrary File Write via UploadFormFiles Method

Title source: llm

Description

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

References (3)

Core 3

Core References

Exploit, Patch, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169

Exploit, Patch, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170

Patch, Third Party Advisory x_refsource_misc

https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0182

EPSS Percentile 76.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-59

Status published

Products (4)

iris-go/iris 12.2.0 alpha (5 CPE variants)

iris-go/iris < 12.1.8

kataras/iris 0Go

kataras/iris 0 - 12.2.0-alpha8Go

Published Dec 24, 2021

Tracked Since Feb 18, 2026