| id: GO-2021-0094 |
| modules: |
| - module: github.com/hashicorp/go-slug |
| versions: |
| - fixed: 0.5.0 |
| vulnerable_at: 0.4.3 |
| packages: |
| - package: github.com/hashicorp/go-slug |
| symbols: |
| - Unpack |
| summary: Directory traversal in github.com/hashicorp/go-slug |
| description: |- |
| Protections against directory traversal during archive extraction can be |
| bypassed by chaining multiple symbolic links within the archive. This allows a |
| malicious attacker to cause files to be created outside of the target directory. |
| Additionally if the attacker is able to read extracted files they may create |
| symbolic links to arbitrary files on the system which the unpacker has |
| permissions to read. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2020-29529 |
| ghsas: |
| - GHSA-2g5j-5x95-r6hr |
| references: |
| - fix: https://github.com/hashicorp/go-slug/pull/12 |
| - fix: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f |
| - web: https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug |
| review_status: REVIEWED |