3 matches found
CVE-2020-7669
CVE-2020-7669 affects the Go package github.com/u-root/u-root/pkg/tarutil, vulnerable to both leading and non-leading relative path traversal attacks during tar extraction (Zip Slip). The issue is present in versions prior to 0.7.0; the restoration of safe extraction is achieved by upgrading to n...
CVE-2020-7665
CVE-2020-7665 affects all versions of github.com/u-root/u-root/pkg/uzip. The connected sources describe a path traversal (Zip Slip) flaw in zip extraction that can lead to arbitrary file writes outside the target directory. Practical impact stated: risk of writing files outside the intended locat...
CVE-2020-7666
The CVE-2020-7666 entry concerns github.com/u-root/u-root/pkg/cpio, where the cpio extraction code is vulnerable to path traversal (leading and non-leading relative paths) and symlink-based traversal (relative and absolute) during archive extraction. Multiple sources describe this as Arbitrary Fi...