CVE-2020-36560: go-unzip vulnerable to Path Traversal

December 28, 2022 (updated December 30, 2022)

Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

References

github.com/advisories/GHSA-rmj9-q58g-9qgg
github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0
github.com/artdarek/go-unzip/pull/2
nvd.nist.gov/vuln/detail/CVE-2020-36560
pkg.go.dev/vuln/GO-2020-0034
snyk.io/research/zip-slip-vulnerability

Code Behaviors & Features

Detect and mitigate CVE-2020-36560 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →