CVE-2022-39345

Name of the Vulnerable Software and Affected Versions Gin-vue-admin versions prior to 2.5.4

Description Gin-vue-admin is a backstage management system based on vue and gin. The system is vulnerable to path traversal, which leads to file upload vulnerabilities. This vulnerability allows malicious attackers to upload or overwrite arbitrary files on the server side by constructing a zip package with ../../../../ filenames, exploiting the Zip Slip vulnerability. The utils.Unzip method is called after uploading a zip compressed file, and it decompresses the file without sufficiently validating its contents, enabling directory traversal during automatic decompression.

Recommendations For Gin-vue-admin versions prior to 2.5.4, upgrade to version 2.5.4 or later, as it contains a patch for this issue. There are no workarounds aside from upgrading to a patched version. As a temporary workaround, consider restricting access to the plugin installation function to minimize the risk of exploitation.