github.com/u-root/u-root/pkg/cpio Arbitrary File Write via Archive Extraction (Zip Slip) · CVE-2020-7666 · GitHub Advisory Database · GitHub

github.com/u-root/u-root/pkg/cpio Arbitrary File Write via Archive Extraction (Zip Slip)

High severity GitHub Reviewed Published Apr 24, 2024 to the GitHub Advisory Database • Updated Apr 24, 2024

Package

github.com/u-root/u-root/pkg/cpio (Go)

Affected versions

<= 7.0.0

Patched versions

None

Description

This affects all versions of package github.com/u-root/u-root/pkg/cpio up to and including 7.0.0. It is vulnerable to leading, non-leading relative path traversal attacks and symlink based (relative and absolute) path traversal attacks in cpio file extraction.

References

Published to the GitHub Advisory Database Apr 24, 2024

Reviewed Apr 24, 2024

Last updated Apr 24, 2024

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N