CVE-2023-27475: 
vulnerability analysis and mitigation

Goutil, a collection of miscellaneous functionality for the Go language, contained a path traversal vulnerability (CVE-2023-27475) in versions prior to 0.6.0. When users utilize fsutil.Unzip to unzip files from a malicious attacker, they may be vulnerable to path traversal, also known as ZipSlip (GitHub Advisory).

The vulnerability exists in the fsutil package's unzip functionality where the application fails to properly validate file paths during archive extraction. The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack vector is network-based, requires low complexity, needs no privileges, but does require user interaction (NetApp Security).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability allows attackers to write files outside the intended extraction directory through path traversal techniques (GitHub Advisory, NetApp Security).

The vulnerability has been fixed in version 0.6.0 of Goutil. The fix includes adding validation to check for path traversal attempts by detecting '..' sequences in file paths. There are no known workarounds for this issue, and users are advised to upgrade to version 0.6.0 or later (GitHub Commit).