CVE-2020-7667: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

June 23, 2021 (updated February 16, 2023)

In package github.com/sassoftware/go-rpmutils/cpio before version 0.1.0, the CPIO extraction functionality does not sanitize the paths of the archived files for leading and non-leading “..” which leads in file extraction outside of the current directory. Note: the fixing commit was applied to all affected versions which were re-released.

References

github.com/advisories/GHSA-9423-6c93-gpp8
github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0
nvd.nist.gov/vuln/detail/CVE-2020-7667
pkg.go.dev/vuln/GO-2020-0042
snyk.io/research/zip-slip-vulnerability
snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSASSOFTWAREGORPMUTILSCPIO-570427

Detect and mitigate CVE-2020-7667 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →