| { |
| "id": "GO-2021-0094", |
| "published": "2021-04-14T20:04:52Z", |
| "modified": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2020-29529" |
| ], |
| "details": "Protections against directory traversal during archive extraction can be bypassed by chaining multiple symbolic links within the archive. This allows a malicious attacker to cause files to be created outside of the target directory. Additionally if the attacker is able to read extracted files they may create symbolic links to arbitrary files on the system which the unpacker has permissions to read.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/hashicorp/go-slug", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "0.5.0" |
| } |
| ] |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2021-0094" |
| }, |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/hashicorp/go-slug", |
| "symbols": [ |
| "Unpack" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://github.com/hashicorp/go-slug/pull/12" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug" |
| } |
| ], |
| "schema_version": "1.3.1" |
| } |
