blob: 5db3b42609c9f7d4823158594439201f9fb1fa2e [file] [log] [blame]
id: GO-2021-0094
modules:
- module: github.com/hashicorp/go-slug
versions:
- fixed: 0.5.0
vulnerable_at: 0.4.3
packages:
- package: github.com/hashicorp/go-slug
symbols:
- Unpack
summary: Directory traversal in github.com/hashicorp/go-slug
description: |-
Protections against directory traversal during archive extraction can be
bypassed by chaining multiple symbolic links within the archive. This allows a
malicious attacker to cause files to be created outside of the target directory.
Additionally if the attacker is able to read extracted files they may create
symbolic links to arbitrary files on the system which the unpacker has
permissions to read.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2020-29529
ghsas:
- GHSA-2g5j-5x95-r6hr
references:
- fix: https://github.com/hashicorp/go-slug/pull/12
- fix: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
- web: https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug
review_status: REVIEWED