data/reports/GO-2021-0099.yaml - vulndb - Git at Google

 id: GO-2021-0099
 modules:
     - module: github.com/deislabs/oras
       versions:
         - fixed: 0.9.0
       vulnerable_at: 0.8.1
       packages:
         - package: github.com/deislabs/oras/pkg/content
           symbols:
             - extractTarDirectory
           derived_symbols:
             - fileWriter.Commit
 summary: Zip slip directory exploit in github.com/deislabs/oras
 description: |-
     Due to improper path validation, using the
     github.com/deislabs/oras/pkg/content.FileStore content store may result in
     directory traversal during archive extraction, allowing a malicious archive to
     write paths to arbitrary paths that the process can write to.
 published: 2021-04-14T20:04:52Z
 cves:
     - CVE-2021-21272
 ghsas:
     - GHSA-g5v4-5x39-vwhx
 credits:
     - Chris Smowton
 references:
     - fix: https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
	id: GO-2021-0099
	modules:
	- module: github.com/deislabs/oras
	versions:
	- fixed: 0.9.0
	vulnerable_at: 0.8.1
	packages:
	- package: github.com/deislabs/oras/pkg/content
	symbols:
	- extractTarDirectory
	derived_symbols:
	- fileWriter.Commit
	summary: Zip slip directory exploit in github.com/deislabs/oras
	description: \|-
	Due to improper path validation, using the
	github.com/deislabs/oras/pkg/content.FileStore content store may result in
	directory traversal during archive extraction, allowing a malicious archive to
	write paths to arbitrary paths that the process can write to.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2021-21272
	ghsas:
	- GHSA-g5v4-5x39-vwhx
	credits:
	- Chris Smowton
	references:
	- fix: https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e