Vulnerability Details CVE-2020-7667
In package github.com/sassoftware/go-rpmutils/cpio before version 0.1.0, the CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading ".." which leads in file extraction outside of the current directory. Note: the fixing commit was applied to all affected versions which were re-released.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 60.8%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSASSOFTWAREGORPMUTILSCPIO-570427
- https://github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSASSOFTWAREGORPMUTILSCPIO-570427
Products affected by CVE-2020-7667
-
cpe:2.3:a:sas:go_rpm_utils:*