CVE-2021-27919

Public on 2021-03-11
Modified on 2023-12-11
Description

archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename.

Severity
Medium
See what this means
CVSS v3 Base Score
5.5
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 golang 2022-09-15 03:57 ALAS-2022-1635
Amazon Linux 1 golang 2022-04-25 15:59 ALAS-2022-1583
Amazon Linux 2 - Core golang 2022-07-28 21:55 ALAS2-2022-1830

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
NVD CVSSv3 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
NVD CVSSv2 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P