blob: 5665df91eac88f1423eaaed478c90d627daab3d5 [file] [log] [blame]
module: github.com/hashicorp/go-slug
versions:
- fixed: v0.5.0
description: |
Protections against directory traversal during archive extraction can be
bypassed by chaining multiple symbolic links within the archive. This allows
a malicious attacker to cause files to be created outside of the target
directory. Additionally if the attacker is able to read extracted files
they may create symbolic links to arbitary files on the system which the
unpacker has permissions to read.
published: 2021-04-14T12:00:00Z
cve: CVE-2020-29529
symbols:
- Unpack
links:
pr: https://github.com/hashicorp/go-slug/pull/12
commit: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
context:
- https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug