Описание
Unsafe tar unpacking in HashiCorp go-slug
HashiCorp go-slug before 0.5.0 does not address attempts at directory traversal involving ../ and symlinks.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-29529
- https://github.com/hashicorp/go-slug/pull/12
- https://github.com/hashicorp/go-slug/commit/28cafc59c8da6126a3ae94dfa84181df4073454f
- https://github.com/hashicorp/go-slug/commit/764785bc4cbb9e600ad1cf1a6bd21b535c182983
- https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0
- https://github.com/hashicorp/go-slug/releases/tag/v0.5.0
- https://pkg.go.dev/vuln/GO-2021-0094
- https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug
Пакеты
github.com/hashicorp/go-slug
< 0.5.0
0.5.0
Связанные уязвимости
HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
HashiCorp go-slug up to 0.4.3 did not fully protect against directory ...