data/reports/GO-2021-0094.yaml - vulndb - Git at Google

 modules:
   - module: github.com/hashicorp/go-slug
     versions:
       - fixed: 0.5.0
     vulnerable_at: 0.4.3
     packages:
       - package: github.com/hashicorp/go-slug
         symbols:
           - Unpack
 description: |
     Protections against directory traversal during archive extraction can be
     bypassed by chaining multiple symbolic links within the archive. This allows
     a malicious attacker to cause files to be created outside of the target
     directory. Additionally if the attacker is able to read extracted files
     they may create symbolic links to arbitrary files on the system which the
     unpacker has permissions to read.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2020-29529
 ghsas:
   - GHSA-2g5j-5x95-r6hr
 references:
   - fix: https://github.com/hashicorp/go-slug/pull/12
   - fix: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
   - web: https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug
	modules:
	- module: github.com/hashicorp/go-slug
	versions:
	- fixed: 0.5.0
	vulnerable_at: 0.4.3
	packages:
	- package: github.com/hashicorp/go-slug
	symbols:
	- Unpack
	description: \|
	Protections against directory traversal during archive extraction can be
	bypassed by chaining multiple symbolic links within the archive. This allows
	a malicious attacker to cause files to be created outside of the target
	directory. Additionally if the attacker is able to read extracted files
	they may create symbolic links to arbitrary files on the system which the
	unpacker has permissions to read.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2020-29529
	ghsas:
	- GHSA-2g5j-5x95-r6hr
	references:
	- fix: https://github.com/hashicorp/go-slug/pull/12
	- fix: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
	- web: https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug