Improper limitation of path name in github.com/containernetworking/cni

Overview

Source

OSV

GO-2022-0230

Aliases

CVE-2021-20206

GHSA-xjqr-g762-pxwp

Affected package

github.com/containernetworking/cni

Description

The FindInPath function is vulnerable to directory traversal attacks, potentially permitting attackers to execute arbitrary binaries.

This function does not sanitize its plugin parameter, so parameter names containing "../" or other such elements may reference arbitrary locations on the filesystem.

Impact

Reference links

https://bugzilla.redhat.com/show_bug.cgi?id=1919391

https://github.com/containernetworking/cni/pull/808

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549

https://vuln.go.dev/ID/GO-2022-0230.json

Summary

651

Total packages affected

Packages with at least one version that is affected by the advisory or has an affected dependency.

247

Packages with a known fix

Packages with versions affected by the advisory that have a greater version that is not affected.

0.05%

Total ecosystem affected

The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).

github.com/containernetworking/cni

Affected Version: Introduced: 0, Fixed: 0.8.1

Patched/Unaffected

v0.8.1

February 2, 2021

v1.0.0-rc1.0.20210623150441-b4e078af7a21

March 15, 2024

v1.0.0-rc2.0.20210630160114-76bf3de7f892

March 16, 2024

v1.0.0

August 4, 2021

v1.0.1

September 7, 2021

v1.0.2-0.20220427195220-08f8596ff3be

April 27, 2022

v1.1.0

April 27, 2022

v1.1.1

June 1, 2022

v1.1.2

July 27, 2022

v1.1.3-0.20240108164725-b62753aa2bfa

January 9, 2024

v1.2.0-rc0.0.20240317203738-a448e71e9867

March 18, 2024

v1.2.0-rc0.0.20240319103633-86c37cb0a21b

March 24, 2024

v1.2.0

April 15, 2024

v1.2.1-0.20240513144334-1e7858f9879a

June 10, 2024

June 17, 2024

June 24, 2024

July 22, 2024

April 7, 2025

v1.3.1-0.19700101000000-277757c33328

Affected

v0.8.1-0.20210428152623-7ba00c594ca8

April 29, 2021

v0.8.1-0.20201216164644-62e54113f44a

December 16, 2020

v0.8.0

July 1, 2020

v0.7.2-0.20200304161608-4fae32b84921

March 6, 2020

v0.7.2-0.20190904153231-83439463f784

September 11, 2019

v0.7.2-0.20190807151350-8c6c47d1c7fc

September 10, 2019

v0.7.2-0.20190703150356-dc71cd2ba60c

July 31, 2020

v0.7.2-0.20190612152420-dc953e2fd91f

September 14, 2019

v0.7.1

June 11, 2019

v0.7.0

May 5, 2019

v0.7.0-rc1.0.20190320155802-fbb95fff8a52

March 19, 2024

v0.7.0-alpha1.0.20190313154241-6896907ab40b

March 16, 2024

v0.7.0-alpha1.0.20180926164302-777324ca6b08

September 5, 2019

v0.7.0-alpha1.0.20180912155548-93b8b11111ca

June 14, 2019

v0.7.0-alpha1.0.20180705210735-e67bb289cccf

December 27, 2019

v0.7.0-alpha0.0.20180613150847-07c1a6da47b7

March 19, 2024

v0.6.1-0.20180531184159-86431d5c1606

March 19, 2024

v0.6.1-0.20180218032124-142cde0c766c

July 23, 2019

v0.6.1-0.20170728133050-a7885cb6f8ab

v0.6.0

April 17, 2019

v0.5.3-0.20170705153219-a2da8f8d7fd8

March 19, 2024

v0.5.2

May 3, 2019

v0.5.1

July 24, 2019

v0.5.0

July 24, 2019

v0.4.1-0.20170302172302-1f6efc28b5d2

March 17, 2024

v0.4.0

July 24, 2019

v0.3.1-0.20161010053931-d872391998fb

December 17, 2019

v0.3.1-0.20160725233558-c1ff202179dc

January 7, 2020

v0.3.0

April 18, 2019

v0.3.0-rc3.0.20160527115016-35f3a090b2f7

v0.3.0-rc2.0.20160526112229-6f63d9d70770

v0.3.0-rc1.0.20160525065410-6fb30a67007a

v0.3.0-rc0.0.20160520235557-984ef8117a6c

July 24, 2019

July 24, 2019

July 24, 2019

July 24, 2019

v0.2.0-rc1.0.20160422181337-2ea9379fa464

v0.2.0-rc0.0.20160401122328-0046767be795

v0.1.0

July 24, 2019