CVE-2021-23772
📋 TL;DR
This vulnerability in the Iris web framework allows attackers to perform directory traversal attacks during file uploads. By manipulating file names in the UploadFormFiles method, attackers can write files to arbitrary locations outside the intended upload directory. All applications using affected versions of the Iris framework are vulnerable.
💻 Affected Systems
- github.com/kataras/iris
- github.com/kataras/iris/v12
📦 What is this software?
Iris by Iris Go
Iris by Iris Go
Iris by Iris Go
Iris by Iris Go
Iris by Iris Go
Iris by Iris Go
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution by overwriting critical system files, configuration files, or web application source code, potentially leading to complete system compromise.
Likely Case
Unauthorized file writes to sensitive directories, potentially enabling data theft, defacement, or privilege escalation through file manipulation.
If Mitigated
Limited to attempted attacks that are blocked by proper input validation and file system permissions, with no successful exploitation.
🎯 Exploit Status
Exploitation requires file upload functionality but no authentication. The vulnerability is straightforward to exploit with basic knowledge of directory traversal techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit e213dba0d32ff66653e0ef124bc5088817264b08
Vendor Advisory: https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08
Restart Required: Yes
Instructions:
1. Update Iris to version containing commit e213dba0d32ff66653e0ef124bc5088817264b08
2. Run 'go get -u github.com/kataras/iris' or 'go get -u github.com/kataras/iris/v12'
3. Rebuild and redeploy your application
4. Restart the application service
🔧 Temporary Workarounds
Implement custom file upload validation
allAdd server-side validation to sanitize file names and restrict upload paths before calling UploadFormFiles
Disable file upload functionality
allTemporarily disable file upload features until patching is complete
🧯 If You Can't Patch
- Implement strict file name validation using allowlists of safe characters
- Configure file system permissions to restrict write access to only necessary directories
🔍 How to Verify
Check if Vulnerable:
Check if your application uses UploadFormFiles method and review the Iris version in go.modCheck Version:
grep 'github.com/kataras/iris' go.modVerify Fix Applied:
Verify the Iris version includes commit e213dba0d32ff66653e0ef124bc5088817264b08 and test file uploads with malicious file names📡 Detection & Monitoring
Log Indicators:
- File upload attempts with suspicious file names containing '../' sequences
- Unauthorized file write attempts to system directories
Network Indicators:
- HTTP POST requests to upload endpoints with manipulated file names
SIEM Query:
source="web_logs" AND (method="POST" AND uri="*upload*" AND (filename="*../*" OR filename="*..\\*"))🔗 References
- https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170
- https://github.com/kataras/iris/commit/e213dba0d32ff66653e0ef124bc5088817264b08
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRIS-2325169
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMKATARASIRISV12-2325170
