CVE-2020-29529

HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:hashicorp:go-slug:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-12-03 20:15

Updated : 2024-02-28 18:08


NVD link : CVE-2020-29529

Mitre link : CVE-2020-29529

CVE.ORG link : CVE-2020-29529


JSON object : View

Products Affected

hashicorp

  • go-slug
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-59

Improper Link Resolution Before File Access ('Link Following')