| modules: |
| - module: github.com/hashicorp/go-slug |
| versions: |
| - fixed: 0.5.0 |
| vulnerable_at: 0.4.3 |
| packages: |
| - package: github.com/hashicorp/go-slug |
| symbols: |
| - Unpack |
| summary: 'TODO(https://go.dev/issue/56443): fill in summary field' |
| description: | |
| Protections against directory traversal during archive extraction can be |
| bypassed by chaining multiple symbolic links within the archive. This allows |
| a malicious attacker to cause files to be created outside of the target |
| directory. Additionally if the attacker is able to read extracted files |
| they may create symbolic links to arbitrary files on the system which the |
| unpacker has permissions to read. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2020-29529 |
| ghsas: |
| - GHSA-2g5j-5x95-r6hr |
| references: |
| - fix: https://github.com/hashicorp/go-slug/pull/12 |
| - fix: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f |
| - web: https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug |
