зеркало из https://github.com/golang/vulndb.git
20 строки
807 B
YAML
20 строки
807 B
YAML
module: github.com/hashicorp/go-slug
|
|
versions:
|
|
- fixed: v0.5.0
|
|
description: |
|
|
Protections against directory traversal during archive extraction can be
|
|
bypassed by chaining multiple symbolic links within the archive. This allows
|
|
a malicious attacker to cause files to be created outside of the target
|
|
directory. Additionally if the attacker is able to read extracted files
|
|
they may create symbolic links to arbitary files on the system which the
|
|
unpacker has permissions to read.
|
|
published: 2021-04-14T12:00:00Z
|
|
cve: CVE-2020-29529
|
|
symbols:
|
|
- Unpack
|
|
links:
|
|
pr: https://github.com/hashicorp/go-slug/pull/12
|
|
commit: https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
|
|
context:
|
|
- https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug
|