Skip to content

Commit c675b49

Browse files
julieqiujulieqiu
committed
reports: add GO-2021-0228 for CVE-2020-7664
Fixes #228 Change-Id: I53bc9fadff80e209c505bae1b567eba5090fd967 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377620 Trust: Julie Qiu <[email protected]> Run-TryBot: Julie Qiu <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Damien Neil <[email protected]>
1 parent 13f2b09 commit c675b49

File tree

1 file changed

+20
-0
lines changed

1 file changed

+20
-0
lines changed

reports/GO-2021-0228.yaml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
module: github.com/unknwon/cae
2+
package: github.com/unknwon/cae/zip
3+
versions:
4+
- fixed: v1.0.1
5+
description: |
6+
The ExtractTo function doesn't securely escape file paths in zip archives
7+
which include leading or non-leading "..". This allows an attacker to add or
8+
replace files system-wide.
9+
cves:
10+
- CVE-2020-7664
11+
credit: Georgios Gkitsas of Snyk Security Team
12+
symbols:
13+
- TzArchive.syncFiles
14+
- TzArchive.ExtractToFunc
15+
- ZipArchive.Open
16+
- ZipArchive.ExtractToFunc
17+
links:
18+
commit: https://github.com/unknwon/cae/commit/07971c00a1bfd9dc171c3ad0bfab5b67c2287e11
19+
context:
20+
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUNKNWONCAEZIP-570383

0 commit comments

Comments
 (0)