CVE-2020-15111

Name of the Vulnerable Software and Affected Versions Fiber versions prior to 1.12.6

Description The issue arises from improper input sanitization in the c.Attachment() function, allowing a maliciously constructed filename to inject additional headers into an HTTP response. This can lead to a CRLF injection attack, where an attacker could upload a custom filename, change the name of the downloaded file, redirect to another site, or change the authorization header.

Recommendations For versions prior to 1.12.6, a possible workaround is to serialize the input before passing it to ctx.Attachment(). This issue has been patched in version 1.12.6, so updating to this version or later will resolve the issue.