CVE-2020-36561: Unzip vulnerable to path traversal

December 28, 2022 (updated December 30, 2022)

Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

References

github.com/advisories/GHSA-f5c5-hmw9-v8hx
github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73
github.com/yi-ge/unzip/pull/1
nvd.nist.gov/vuln/detail/CVE-2020-36561
pkg.go.dev/vuln/GO-2020-0035
snyk.io/research/zip-slip-vulnerability

Detect and mitigate CVE-2020-36561 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →