Vulnerability Report: GO-2021-0094

CVE-2020-29529, GHSA-2g5j-5x95-r6hr
Affects: github.com/hashicorp/go-slug
Published: Apr 14, 2021
Modified: May 20, 2024

Protections against directory traversal during archive extraction can be bypassed by chaining multiple symbolic links within the archive. This allows a malicious attacker to cause files to be created outside of the target directory. Additionally if the attacker is able to read extracted files they may create symbolic links to arbitrary files on the system which the unpacker has permissions to read.

Affected Packages

Path

Go Versions

Symbols
github.com/hashicorp/go-slug

before v0.5.0
- Unpack

Aliases

CVE-2020-29529
GHSA-2g5j-5x95-r6hr

References

https://github.com/hashicorp/go-slug/pull/12
https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug
https://vuln.go.dev/ID/GO-2021-0094.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL