OpenCVE

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Unzip Project	Unzip

Configuration 1 [-]

cpe:2.3:a:unzip_project:unzip:*:*:*:*:*:go:*:*

No data.

References

Link	Providers
https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73
https://github.com/yi-ge/unzip/pull/1
https://pkg.go.dev/vuln/GO-2020-0035
https://snyk.io/research/zip-slip-vulnerability

History

No history.

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2022-12-27T21:13:22.650Z

Updated: 2024-08-04T17:30:08.435Z

Reserved: 2022-07-29T17:07:52.749Z

Link: CVE-2020-36561

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-27T22:15:11.623

Modified: 2024-11-21T05:29:50.427

Link: CVE-2020-36561

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:unzip_project:unzip:*:*:*:*:*:go:*:*", "matchCriteriaId": "50ACA0B5-19B0-467C-BC62-BA8DB8AE5F92", "versionEndExcluding": "1.0.3-0.20200308084313-2adbaa4891b9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory."}, {"lang": "es", "value": "Debido a una sanitizaci\u00f3n inadecuada de la ruta, los archivos que contienen rutas de archivo relativas pueden hacer que los archivos se escriban (o sobrescriban) fuera del directorio de destino."}], "id": "CVE-2020-36561", "lastModified": "2024-11-21T05:29:50.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-27T22:15:11.623", "references": [{"source": "security@golang.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73"}, {"source": "security@golang.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/yi-ge/unzip/pull/1"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/vuln/GO-2020-0035"}, {"source": "security@golang.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://snyk.io/research/zip-slip-vulnerability"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/yi-ge/unzip/commit/2adbaa4891b9690853ef10216189189f5ad7dc73"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/yi-ge/unzip/pull/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/vuln/GO-2020-0035"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://snyk.io/research/zip-slip-vulnerability"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}