CVE-2020-36561 – github.com/yi-ge/unzip

Package

Manager: go
Name: github.com/yi-ge/unzip
Vulnerable Version: >=0 <1.0.3-0.20200308084313-2adbaa4891b9

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00125 pctl0.32445

Details

Unzip vulnerable to path traversal Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

Metadata

Created: 2022-12-28T00:30:23Z
Modified: 2023-08-30T11:48:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-f5c5-hmw9-v8hx/GHSA-f5c5-hmw9-v8hx.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-f5c5-hmw9-v8hx
Finding: F063
Auto approve: 1