Описание
HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multicloud-manager-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/openshift-hive-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acmesolver-container | Fixed | RHSA-2021:1168 | 13.04.2021 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-must-gather-container | Fixed | RHSA-2021:1168 | 13.04.2021 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-operator-bundle-container | Fixed | RHSA-2021:1168 | 13.04.2021 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | application-ui-container | Fixed | RHSA-2021:1168 | 13.04.2021 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | cainjector-container | Fixed | RHSA-2021:1168 | 13.04.2021 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | cert-manager-controller-container | Fixed | RHSA-2021:1168 | 13.04.2021 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | cert-manager-webhook-container | Fixed | RHSA-2021:1168 | 13.04.2021 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | cert-policy-controller-container | Fixed | RHSA-2021:1168 | 13.04.2021 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-22
Дефект:
CWE-59
https://bugzilla.redhat.com/show_bug.cgi?id=1914238go-slug: partial protection against zip slip attacks
7.5 High
CVSS3
Связанные уязвимости
CVSS3: 7.5
ubuntu
около 5 лет назад
HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
CVSS3: 7.5
nvd
около 5 лет назад
HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
CVSS3: 7.5
debian
около 5 лет назад
HashiCorp go-slug up to 0.4.3 did not fully protect against directory ...
7.5 High
CVSS3