CVE-2020-29529

Name of the Vulnerable Software and Affected Versions HashiCorp go-slug versions 0.4.3 and earlier

Description The issue allows a malicious attacker to bypass protections against directory traversal during archive extraction by chaining multiple symbolic links within the archive. This enables the creation of files outside the target directory. If the attacker can read extracted files, they may create symbolic links to arbitrary files on the system that the unpacker has permissions to read. The vulnerability involves attempts at directory traversal using ../ and symlinks.

Recommendations For HashiCorp go-slug versions 0.4.3 and earlier, update to version 0.5.0 to resolve the issue. As a temporary workaround, consider restricting the use of symbolic links within archives to minimize the risk of exploitation. Avoid using the go-slug tool to unpack archives from untrusted sources until the issue is resolved.