blob: 515f4d01339d3ce40562ba12ee45cab52184d0a9 [file] [log] [blame]
id: GO-2021-0099
modules:
- module: github.com/deislabs/oras
versions:
- fixed: 0.9.0
vulnerable_at: 0.8.1
packages:
- package: github.com/deislabs/oras/pkg/content
symbols:
- extractTarDirectory
derived_symbols:
- fileWriter.Commit
summary: Zip slip directory exploit in github.com/deislabs/oras
description: |-
Due to improper path validation, using the
github.com/deislabs/oras/pkg/content.FileStore content store may result in
directory traversal during archive extraction, allowing a malicious archive to
write paths to arbitrary paths that the process can write to.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2021-21272
ghsas:
- GHSA-g5v4-5x39-vwhx
credits:
- Chris Smowton
references:
- fix: https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
review_status: REVIEWED