blob: 2fdfc1206a5723d5a33ed78fd008488cde6a0161 [file] [log] [blame]
module: github.com/hashicorp/go-slug
versions:
- fixed: v0.5.0
description: |
Protections against directory traversal during archive extraction can be
bypassed by chaining multiple symbolic links within the archive. This allows
a malicious attacker to cause files to be created outside of the target
directory. Additionally if the attacker is able to read extracted files
they may create symbolic links to arbitrary files on the system which the
unpacker has permissions to read.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2020-29529
symbols:
- Unpack
links:
pr: https://github.com/hashicorp/go-slug/pull/12
commit: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
context:
- https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug