| module: github.com/hashicorp/go-slug |
| versions: |
| - fixed: v0.5.0 |
| description: | |
| Protections against directory traversal during archive extraction can be |
| bypassed by chaining multiple symbolic links within the archive. This allows |
| a malicious attacker to cause files to be created outside of the target |
| directory. Additionally if the attacker is able to read extracted files |
| they may create symbolic links to arbitary files on the system which the |
| unpacker has permissions to read. |
| published: 2021-04-14T12:00:00Z |
| cve: CVE-2020-29529 |
| symbols: |
| - Unpack |
| links: |
| pr: https://github.com/hashicorp/go-slug/pull/12 |
| commit: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f |
| context: |
| - https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug |