GHSA-9h6h-9g78-86f7: 
vulnerability analysis and mitigation

The vulnerability (GHSA-9h6h-9g78-86f7) affects Yapscan's report receiver server versions 0.18.0 through 0.19.0, discovered and disclosed on December 23, 2022. The vulnerability allows path traversal and log injection in the experimental report receiver server component. This high-severity issue (CVSS score 7.5) affects the gomod package github.com/fkie-cad/yapscan and was patched in version 0.19.1 (GitHub Advisory).

The vulnerability combines multiple weaknesses including path traversal (CWE-22), external control of file name or path (CWE-73), and improper output neutralization for logs (CWE-117). The issue has a CVSS v3.1 base score of 7.5 (High), with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The vulnerability is exploitable over the network, requires low attack complexity, needs no privileges or user interaction, and primarily impacts data integrity while leaving confidentiality and availability unaffected (GitHub Advisory).

If exploited, this vulnerability allows attackers to forge requests that can overwrite arbitrary files on the host system, subject to the permissions of the yapscan server. The risk is particularly severe when clients are not authenticated or when the server runs with elevated permissions, potentially leading to significant data loss (GitHub Advisory).

The primary mitigation is to update to version 0.19.1 which contains the security fixes. For users who cannot immediately update, recommended workarounds include authenticating clients using the --client-ca flag and implementing containerization of the yapscan server. These measures help reduce the risk of exploitation (GitHub Release).