Georgios Gkitsas

**Name of the Vulnerable Software and Affected Versions** u-root versions (affected versions not specified) **Description** The issue concerns path traversal attacks, specifically both leading and non-leading relative path traversal, in zip file extraction. This affects the u-root package, particularly in the github.com/u-root/u-root/pkg/uzip component. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** u-root versions prior to 7.0.0 **Description** The issue affects the cpio file extraction in the u-root package, making it vulnerable to leading and non-leading relative path traversal attacks, as well as symlink-based path traversal attacks, both relative and absolute. **Recommendations** For versions prior to 7.0.0, update to version 7.0.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** github.com/u-root/u-root/pkg/tarutil versions prior to 0.7.0 **Description** The issue affects the tar file extraction in the github.com/u-root/u-root/pkg/tarutil package, making it vulnerable to both leading and non-leading relative path traversal attacks. This can lead to arbitrary file write via archive extraction, also known as Zip Slip. **Recommendations** For versions prior to 0.7.0, update to version 0.7.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the tar file extraction functionality in the affected package until a patch is available.

**Name of the Vulnerable Software and Affected Versions** go-rpmutils/cpio version 0.1.0 and earlier **Description** The CPIO extraction functionality does not sanitize the paths of the archived files for leading and non-leading `..`, which leads to file extraction outside of the current directory. This is due to improper path sanitization, allowing RPMs containing relative file paths to cause files to be written or overwritten outside of the target directory. **Recommendations** For go-rpmutils/cpio version 0.1.0 and earlier, update to version 0.1.0 or later, as the fixing commit was applied to all affected versions which were re-released.

**Name of the Vulnerable Software and Affected Versions** github.com/unknwon/cae/zip (affected versions not specified) **Description** The ExtractTo function does not securely escape file paths in zip archives, which include leading or non-leading "..". This allows an attacker to add or replace files system-wide. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** github.com/unknwon/cae/tz (affected versions not specified) **Description** The issue arises from improper path sanitization in the ExtractTo function, which fails to securely escape file paths in zip archives containing leading or non-leading "..". This flaw allows an attacker to add or replace files system-wide. Archives with relative file paths can cause files to be written or overwritten outside the target directory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.