| id: GO-2021-0099 |
| modules: |
| - module: github.com/deislabs/oras |
| versions: |
| - fixed: 0.9.0 |
| vulnerable_at: 0.8.1 |
| packages: |
| - package: github.com/deislabs/oras/pkg/content |
| symbols: |
| - extractTarDirectory |
| derived_symbols: |
| - fileWriter.Commit |
| summary: Zip slip directory exploit in github.com/deislabs/oras |
| description: |- |
| Due to improper path validation, using the |
| github.com/deislabs/oras/pkg/content.FileStore content store may result in |
| directory traversal during archive extraction, allowing a malicious archive to |
| write paths to arbitrary paths that the process can write to. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2021-21272 |
| ghsas: |
| - GHSA-g5v4-5x39-vwhx |
| credits: |
| - Chris Smowton |
| references: |
| - fix: https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e |
| review_status: REVIEWED |