Lucene search

GitHub Advisory DatabaseGHSA-75QF-WGFJ-V652

HistoryMay 18, 2021 - 6:28 p.m.

github.com/u-root/u-root/pkg/tarutil Arbitrary File Write via Archive Extraction (Zip Slip)

2021-05-1818:28:03

CWE-22

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

40.1%

JSON

This affects all versions up to and including version 0.7.0 of package github.com/u-root/u-root/pkg/tarutil. It is vulnerable to both leading and non-leading relative path traversal attacks in tar file extraction.

Affected configurations

Vulners

Node

github_advisory_databasegithub.com\/u-root\/u-rootRange<0.9.0

CPENameOperatorVersion
github.com/u-root/u-rootlt0.9.0

CPE	Name	Operator	Version
	github.com/u-root/u-root	lt	0.9.0

References

github.com/advisories/GHSA-75qf-wgfj-v652

github.com/u-root/u-root/issues/2449

github.com/u-root/u-root/pull/1817

github.com/u-root/u-root/pull/2344

nvd.nist.gov/vuln/detail/CVE-2020-7669

snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUROOTUROOTPKGTARUTIL-570428

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

40.1%

JSON

Related for GHSA-75QF-WGFJ-V652