CVE-2021-23772

Name of the Vulnerable Software and Affected Versions: github.com/kataras/iris versions prior to a fixed version github.com/kataras/iris/v12 versions prior to a fixed version

Description: The issue arises from the unsafe handling of file names during upload using the UploadFormFiles method, which may enable attackers to write to arbitrary locations outside the designated target folder. This vulnerability can be exploited through directory traversal attacks. The Context.UploadFormFiles function is specifically vulnerable to this type of attack. It is noted that this issue is mitigated in Go versions 1.17 and later, as they strip directory paths from filenames returned by mime/multipart.Part.FileName.

Recommendations: For github.com/kataras/iris versions prior to a fixed version, consider disabling the UploadFormFiles method until a patch is available. For github.com/kataras/iris/v12 versions prior to a fixed version, consider disabling the UploadFormFiles method until a patch is available. As a temporary workaround, restrict the handling of file uploads to prevent writing to arbitrary locations outside the designated target folder.