HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
References
Link | Resource |
---|---|
https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0 | Patch Release Notes Third Party Advisory |
https://github.com/hashicorp/go-slug/pull/12 | Patch Third Party Advisory |
https://github.com/hashicorp/go-slug/releases/tag/v0.5.0 | Release Notes Third Party Advisory |
https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug | Exploit Third Party Advisory |
Configurations
History
No history.
Information
Published : 2020-12-03 20:15
Updated : 2024-02-28 18:08
NVD link : CVE-2020-29529
Mitre link : CVE-2020-29529
CVE.ORG link : CVE-2020-29529
JSON object : View
Products Affected
hashicorp
- go-slug