Vulnerability Details CVE-2024-47877
Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then upgrading to /v4 will require to implement the new methods that have been added.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 14.0%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2024-47877
-
cpe:2.3:a:codeclysm:extract:-
-
cpe:2.3:a:codeclysm:extract:1
-
cpe:2.3:a:codeclysm:extract:1.0.1
-
cpe:2.3:a:codeclysm:extract:1.1.0
-
cpe:2.3:a:codeclysm:extract:1.1.1
-
cpe:2.3:a:codeclysm:extract:2.0.0
-
cpe:2.3:a:codeclysm:extract:2.1.0
-
cpe:2.3:a:codeclysm:extract:2.1.1
-
cpe:2.3:a:codeclysm:extract:2.2.0
-
cpe:2.3:a:codeclysm:extract:3.0.0
-
cpe:2.3:a:codeclysm:extract:3.0.1
-
cpe:2.3:a:codeclysm:extract:3.0.2
-
cpe:2.3:a:codeclysm:extract:3.1.0
-
cpe:2.3:a:codeclysm:extract:3.1.1