reports/GO-2021-0094.toml - vulndb - Git at Google

 module = "github.com/hashicorp/go-slug"

 description = """
 Protections against directory traversal during archive extraction can be
 bypassed by chaining multiple symbolic links within the archive. This allows
 a malicious attacker to cause files to be created outside of the target
 directory. Additionally if the attacker is able to read extracted files
 they may create symbolic links to arbitary files on the system which the
 unpacker has permissions to read.
 """

 cve = "CVE-2020-29529"

 symbols = ["Unpack"]

 published = "2021-04-14T12:00:00Z"

 [[versions]]
 fixed = "v0.5.0"

 [links]
 commit = "https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f"
 pr = "https://github.com/hashicorp/go-slug/pull/12"
 context = ["https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug"]
	module = "github.com/hashicorp/go-slug"

	description = """
	Protections against directory traversal during archive extraction can be
	bypassed by chaining multiple symbolic links within the archive. This allows
	a malicious attacker to cause files to be created outside of the target
	directory. Additionally if the attacker is able to read extracted files
	they may create symbolic links to arbitary files on the system which the
	unpacker has permissions to read.
	"""

	cve = "CVE-2020-29529"

	symbols = ["Unpack"]

	published = "2021-04-14T12:00:00Z"

	[[versions]]
	fixed = "v0.5.0"

	[links]
	commit = "https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f"
	pr = "https://github.com/hashicorp/go-slug/pull/12"
	context = ["https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug"]