GO-2021-0094

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2021-0094

Import Source

https://vuln.go.dev/ID/GO-2021-0094.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2021-0094

Aliases

Published

2021-04-14T20:04:52Z

Modified

2024-05-20T16:03:47Z

Summary

Directory traversal in github.com/hashicorp/go-slug

Details

Protections against directory traversal during archive extraction can be bypassed by chaining multiple symbolic links within the archive. This allows a malicious attacker to cause files to be created outside of the target directory. Additionally if the attacker is able to read extracted files they may create symbolic links to arbitrary files on the system which the unpacker has permissions to read.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2021-0094"
}

References

Affected packages

Go / github.com/hashicorp/go-slug

Package

Name: github.com/hashicorp/go-slug; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/go-slug

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.5.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/hashicorp/go-slug",
            "symbols": [
                "Unpack"
            ]
        }
    ]
}