data/reports/GO-2021-0094.yaml

id: GO-2021-0094
modules:
    - module: github.com/hashicorp/go-slug
      versions:
        - fixed: 0.5.0
      vulnerable_at: 0.4.3
      packages:
        - package: github.com/hashicorp/go-slug
          symbols:
            - Unpack
summary: Directory traversal in github.com/hashicorp/go-slug
description: |-
    Protections against directory traversal during archive extraction can be
    bypassed by chaining multiple symbolic links within the archive. This allows a
    malicious attacker to cause files to be created outside of the target directory.
    Additionally if the attacker is able to read extracted files they may create
    symbolic links to arbitrary files on the system which the unpacker has
    permissions to read.
published: 2021-04-14T20:04:52Z
cves:
    - CVE-2020-29529
ghsas:
    - GHSA-2g5j-5x95-r6hr
references:
    - fix: https://github.com/hashicorp/go-slug/pull/12
    - fix: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
    - web: https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug