HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
References
Link | Resource |
---|---|
https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0 | Patch Release Notes Third Party Advisory |
https://github.com/hashicorp/go-slug/pull/12 | Patch Third Party Advisory |
https://github.com/hashicorp/go-slug/releases/tag/v0.5.0 | Release Notes Third Party Advisory |
https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug | Exploit Third Party Advisory |
https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0 | Patch Release Notes Third Party Advisory |
https://github.com/hashicorp/go-slug/pull/12 | Patch Third Party Advisory |
https://github.com/hashicorp/go-slug/releases/tag/v0.5.0 | Release Notes Third Party Advisory |
https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 05:24
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0 - Patch, Release Notes, Third Party Advisory | |
References | () https://github.com/hashicorp/go-slug/pull/12 - Patch, Third Party Advisory | |
References | () https://github.com/hashicorp/go-slug/releases/tag/v0.5.0 - Release Notes, Third Party Advisory | |
References | () https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug - Exploit, Third Party Advisory |
Information
Published : 2020-12-03 20:15
Updated : 2024-11-21 05:24
NVD link : CVE-2020-29529
Mitre link : CVE-2020-29529
CVE.ORG link : CVE-2020-29529
JSON object : View
Products Affected
hashicorp
- go-slug