CVE-2020-7667

Опубликовано: 24 июн. 2020

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

In package github.com/sassoftware/go-rpmutils/cpio before version 0.1.0, the CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading ".." which leads in file extraction outside of the current directory. Note: the fixing commit was applied to all affected versions which were re-released.

Ссылки

https://github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSASSOFTWAREGORPMUTILSCPIO-570427
Exploit
Third Party Advisory
https://github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSASSOFTWAREGORPMUTILSCPIO-570427
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sas:go_rpm_utils:*:*:*:*:*:*:*:*

Версия до 0.1.0 (исключая)

EPSS

Процентиль: 61%

0.00414

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-9423-6c93-gpp8