Exploit Report

Computer Security And Bug Information

CVE-2020-26312

CVECVE-2020-26312
CVE Title
Published Date2024-05-14T21:15Z
Modified Date2024-05-15T16:40Z
DescriptionDotmesh is a git-like command-line interface for capturing, organizing and sharing application states. In versions 0.8.1 and prior, the unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder. The routine `untarFile` attempts to guard against creating symbolic links that point outside the directory a tar archive is extracted to. However, a malicious tarball first linking `subdir/parent` to `..` (allowed, because `subdir/..` falls within the archive root) and then linking `subdir/parent/escapes` to `..` results in a symbolic link pointing to the tarball’s parent directory, contrary to the routine’s goals. This issue may lead to arbitrary file write (with same permissions as the program running the unpack operation) if the attacker can control the archive file. Additionally, if the attacker has read access to the unpacked files, they may be able to read arbitrary system files the parent process has permissions to read. As of time of publication, no patch for this issue is available.
References
By clicking these links you will leave this website. We do not endorse and will not be held accountable for any activity on external sites.
Reference URLhttps://securitylab.github.com/advisories/GHSL-2020-254-zipslip-dotmesh/
Reference Description https://securitylab.github.com/advisories/GHSL-2020-254-zipslip-dotmesh/
Reference URLhttps://github.com/dotmesh-io/dotmesh/blob/master/pkg/archiver/tar.go#L255
Reference Description https://github.com/dotmesh-io/dotmesh/blob/master/pkg/archiver/tar.go#L255
Sources NIST MITRE
Note
  • No CVSS data for this CVE

This site's data is aggregated programmatically and provided "as is" without any representations or warranties, express or implied. Exploit.report is not affiliated with the The MITRE Corporation, U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), or US government in any way. CVE and the CVE logo are registered trademarks of The MITRE Corporation

© 2022 Exploit.Report | Data | Contact | Privacy Policy | Articles