CVE-2020-29529

HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
Configurations

Configuration 1 (hide)

cpe:2.3:a:hashicorp:go-slug:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:24

Type Values Removed Values Added
References () https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0 - Patch, Release Notes, Third Party Advisory () https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0 - Patch, Release Notes, Third Party Advisory
References () https://github.com/hashicorp/go-slug/pull/12 - Patch, Third Party Advisory () https://github.com/hashicorp/go-slug/pull/12 - Patch, Third Party Advisory
References () https://github.com/hashicorp/go-slug/releases/tag/v0.5.0 - Release Notes, Third Party Advisory () https://github.com/hashicorp/go-slug/releases/tag/v0.5.0 - Release Notes, Third Party Advisory
References () https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug - Exploit, Third Party Advisory () https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug - Exploit, Third Party Advisory

Information

Published : 2020-12-03 20:15

Updated : 2024-11-21 05:24


NVD link : CVE-2020-29529

Mitre link : CVE-2020-29529

CVE.ORG link : CVE-2020-29529


JSON object : View

Products Affected

hashicorp

  • go-slug
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-59

Improper Link Resolution Before File Access ('Link Following')