CVE-2020-15111
Last modified
CVE-2020-15111 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. EPSS estimates a 0.86% chance of exploitation in the next 30 days.
Description
In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment().
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Gofiber | Fiber | < 1.12.6 |
References
- https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56fPatch, Third Party Advisory
- https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvhThird Party Advisory
- https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56fPatch, Third Party Advisory
- https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvhThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-15111?
How severe is CVE-2020-15111?
How do I fix CVE-2020-15111?
Are you affected by CVE-2020-15111?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST