github.com/u-root/u-root/pkg/cpio Arbitrary File Write via Archive Extraction (Zip Slip)
High severity
GitHub Reviewed
Published
Apr 24, 2024
to the GitHub Advisory Database
•
Updated Apr 24, 2024
Package
Affected versions
<= 7.0.0
Patched versions
None
Description
Published to the GitHub Advisory Database
Apr 24, 2024
Reviewed
Apr 24, 2024
Last updated
Apr 24, 2024
This affects all versions of package github.com/u-root/u-root/pkg/cpio up to and including 7.0.0. It is vulnerable to leading, non-leading relative path traversal attacks and symlink based (relative and absolute) path traversal attacks in cpio file extraction.
References