CVE-2020-26279 – github.com/ipfs/go-ipfs

Package

Manager: go
Name: github.com/ipfs/go-ipfs
Vulnerable Version: >=0 <0.8.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01624 pctl0.8115

Details

Path traversal in github.com/ipfs/go-ipfs ### Impact It is currently possible for path traversal to occur with DAGs containing relative paths during retrieval. This can cause files to be overwritten, or written to incorrect output directories. The issue can only occur when `ipfs get` is done on an affected DAG. 1. The only affected command is `ipfs get`. 2. The gateway is not affected. ### Patches Traversal fix patched in https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227 `tar-utils` patch applied to go-ipfs via https://github.com/ipfs/go-ipfs/commit/b7ddba7fe47dee5b1760b8ffe897908417e577b2 ### Workarounds Upgrade to go-ipfs 0.8 or later. ### References Binaries for the patched versions of go-ipfs are available on the IPFS distributions site, https://dist.ipfs.io/go-ipfs ### For more information If you have any questions or comments about this advisory: * Open an issue in [go-ipfs](https://github.com/ipfs/go-ipfs) * Email us at [security@ipfs.io](mailto:security@ipfs.io)

Metadata

Created: 2021-06-23T17:27:44Z
Modified: 2021-05-21T18:31:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-27pv-q55r-222g/GHSA-27pv-q55r-222g.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-27pv-q55r-222g
Finding: F063
Auto approve: 1