| { |
| "id": "GO-2021-0094", |
| "published": "2021-04-14T20:04:52Z", |
| "modified": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2020-29529" |
| ], |
| "details": "Protections against directory traversal during archive extraction can be\nbypassed by chaining multiple symbolic links within the archive. This allows\na malicious attacker to cause files to be created outside of the target\ndirectory. Additionally if the attacker is able to read extracted files\nthey may create symbolic links to arbitrary files on the system which the\nunpacker has permissions to read.\n", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/hashicorp/go-slug", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "0.5.0" |
| } |
| ] |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2021-0094" |
| }, |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/hashicorp/go-slug", |
| "symbols": [ |
| "Unpack" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://github.com/hashicorp/go-slug/pull/12" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug" |
| } |
| ] |
| } |
