| id: GO-2020-0025 |
| modules: |
| - module: code.cloudfoundry.org/archiver |
| versions: |
| - fixed: 0.0.0-20180523222229-09b5706aa936 |
| vulnerable_at: 0.0.0-20170223024658-7291196139d7 |
| packages: |
| - package: code.cloudfoundry.org/archiver/extractor |
| symbols: |
| - extractTarArchiveFile |
| - extractZipArchiveFile |
| derived_symbols: |
| - detectableExtractor.Extract |
| - tarExtractor.Extract |
| - tgzExtractor.Extract |
| - zipExtractor.Extract |
| summary: Path traversal in code.cloudfoundry.org/archiver |
| description: |- |
| Due to improper path sanitization, archives containing relative file paths can |
| cause files to be written (or overwritten) outside of the target directory. |
| published: 2021-04-14T20:04:52Z |
| ghsas: |
| - GHSA-32qh-8vg6-9g43 |
| references: |
| - fix: https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840 |
| - web: https://snyk.io/research/zip-slip-vulnerability |
| cve_metadata: |
| id: CVE-2018-25046 |
| cwe: 'CWE 29: Path Traversal: "\..\filename"' |
| review_status: REVIEWED |
