| modules: |
| - module: github.com/whyrusleeping/tar-utils |
| versions: |
| - fixed: 0.0.0-20201201191210-20a61371de5b |
| packages: |
| - package: github.com/whyrusleeping/tar-utils |
| symbols: |
| - Extractor.outputPath |
| skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]' |
| description: | |
| Due to improper path santization, archives containing relative file |
| paths can cause files to be written (or overwritten) outside of the |
| target directory. |
| published: 2021-07-28T18:08:05Z |
| ghsas: |
| - GHSA-jpf8-h7h7-3ppm |
| references: |
| - fix: https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227 |
| - web: https://snyk.io/research/zip-slip-vulnerability |
| cve_metadata: |
| id: CVE-2020-36566 |
| cwe: 'CWE 22: Improper Limitation of a Pathname to a Restricted Directory (''Path |
| Traversal'')' |