PT-2024-32867 · Extract+1 · Textract+1

Buglloc

Published

2024-10-11

Updated

2024-11-22

CVE-2024-47877

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Extract versions prior to 4.0.0

Description A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This issue can be exploited by using a specially crafted archive in zip, tar.gz, or tar.bz2 formats.

Recommendations For versions prior to 4.0.0, upgrade to version 4.0.0 or later. If using the extract.Extractor.FS interface, implement the new methods that have been added to the /v4 interface, including Remove(path string) error, Stat(name string) (os.FileInfo, error), and Chmod(name string, mode os.FileMode) error. For users not using the extract.Extractor.FS interface, simply change the import to /v4 to upgrade.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-61

Related Identifiers

CVE-2024-47877

GHSA-8RM2-93MQ-JQHC

GO-2024-3196

OPENSUSE-SU-2024:0350-1

OPENSUSE-SU-2024:14447-1

OPENSUSE-SU-2024_3911-1

SUSE-SU-2024:3911-1

Affected Products

Suse

Textract

PT-2024-32867 · Extract+1 · Textract+1

CVE-2024-47877

Weakness Enumeration

Related Identifiers

Affected Products

References · 71