Vulnerability Description
Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
CVSS Score
9.1
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Unzip Project | Unzip | < 1.0.3-0.20200308084313-2adbaa4891b9 |
Related Weaknesses (CWE)
References
- https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73PatchThird Party Advisory
- https://github.com/yi-ge/unzip/pull/1ExploitThird Party Advisory
- https://pkg.go.dev/vuln/GO-2020-0035Third Party Advisory
- https://snyk.io/research/zip-slip-vulnerabilityTechnical DescriptionThird Party Advisory
- https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73PatchThird Party Advisory
- https://github.com/yi-ge/unzip/pull/1ExploitThird Party Advisory
- https://pkg.go.dev/vuln/GO-2020-0035Third Party Advisory
- https://snyk.io/research/zip-slip-vulnerabilityTechnical DescriptionThird Party Advisory
FAQ
What is CVE-2020-36561?
CVE-2020-36561 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
How severe is CVE-2020-36561?
CVE-2020-36561 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-36561?
Check the references section above for vendor advisories and patch information. Affected products include: Unzip Project Unzip.