CVE-2024-47877: Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory.

October 11, 2024 (updated October 15, 2024)

A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory.

References

github.com/advisories/GHSA-8rm2-93mq-jqhc
github.com/codeclysm/extract
github.com/codeclysm/extract/commit/4a98568021b8e289345c7f526ccbd7ed732cf286
github.com/codeclysm/extract/security/advisories/GHSA-8rm2-93mq-jqhc
nvd.nist.gov/vuln/detail/CVE-2024-47877

Detect and mitigate CVE-2024-47877 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →