Vulnerability Description
Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
CVSS Score
9.1
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Go-Unzip Project | Go-Unzip | < 1.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7PatchThird Party Advisory
- https://github.com/artdarek/go-unzip/pull/2ExploitThird Party Advisory
- https://pkg.go.dev/vuln/GO-2020-0034Third Party Advisory
- https://snyk.io/research/zip-slip-vulnerabilityTechnical DescriptionThird Party Advisory
- https://github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7PatchThird Party Advisory
- https://github.com/artdarek/go-unzip/pull/2ExploitThird Party Advisory
- https://pkg.go.dev/vuln/GO-2020-0034Third Party Advisory
- https://snyk.io/research/zip-slip-vulnerabilityTechnical DescriptionThird Party Advisory
FAQ
What is CVE-2020-36560?
CVE-2020-36560 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
How severe is CVE-2020-36560?
CVE-2020-36560 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-36560?
Check the references section above for vendor advisories and patch information. Affected products include: Go-Unzip Project Go-Unzip.