CVE-2023-1800 — Path traversal in github.com/sjqzhang/go-fastdfs

Description

An attacker can craft a remote request to upload a file to "/group1/upload" that uses path traversal to instead write the file contents to an attacker controlled path on the server.

How to fix CVE-2023-1800

To remediate CVE-2023-1800, upgrade the affected package to a fixed version below.

Go/github.com/sjqzhang/go-fastdfs—upgrade to 1.4.5-0.20230408141131-61cbff5124c6 or later
—upgrade to 1.4.5-0.20230408141131-61cbff5124c6 or later

Is CVE-2023-1800 being exploited?

Moderate — EPSS is 47.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.4.5-0.20230408141131-61cbff5124c6
from 0, < 1.4.5-0.20230408141131-61cbff5124c6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (8)

ADVISORYgithub.com/advisories/GHSA-xq3x-grrj-fj6x
ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-1800
PATCHgithub.com/sjqzhang/go-fastdfs
WEBgithub.com/sjqzhang/go-fastdfs/commit/61cbff5124c61e292994099372b11c06cdb5b80b