{"id":"CVE-2020-26277","details":"DBdeployer is a tool that deploys MySQL database servers easily. In DBdeployer before version 1.58.2, users unpacking a tarball may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defenses. For the attack to succeed, the following factors need to contribute: 1) The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user. 2) The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved through dbdeployer, the checksum is compared before attempting to unpack. This has been fixed in version 1.58.2.","aliases":["GHSA-47wr-426j-fr82","GO-2022-0787"],"modified":"2026-03-13T22:01:24.205456Z","published":"2020-12-21T22:15:13.317Z","related":["GHSA-47wr-426j-fr82"],"references":[{"type":"ADVISORY","url":"https://github.com/datacharmer/dbdeployer/security/advisories/GHSA-47wr-426j-fr82"},{"type":"FIX","url":"https://github.com/datacharmer/dbdeployer/commit/548e256c1de2f99746e861454e7714ec6bc9bb10"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/datacharmer/dbdeployer","events":[{"introduced":"0"},{"fixed":"548e256c1de2f99746e861454e7714ec6bc9bb10"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.58.2"}]}}],"versions":["0.1.0","0.1.01","0.1.02","0.1.03","0.1.04","0.1.05","0.1.06","0.1.07","0.1.08","0.1.09","0.1.10","0.1.11","0.1.13","0.1.14","0.1.15","0.1.16","0.1.18","0.1.19","0.1.20","0.1.22","0.1.23","0.1.24","0.2.0","0.2.1","0.2.2","0.2.4","0.3.0","0.3.1","0.3.7","0.3.9","1.0.0","1.0.1","1.1.0","1.1.1","1.10.0","1.10.1","1.11.0","1.12.0","1.12.1","1.12.3","1.13.0","1.14.0","1.17.1","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.43.0","1.43.1","1.5.0","1.5.2","1.5.3","1.6.0","1.7.0","1.8.0","1.8.3","1.8.4","1.9.0","v1.16.0","v1.17.0","v1.19.0","v1.21.0","v1.22.0","v1.23.0","v1.24.0","v1.26.0","v1.27.0","v1.28.0","v1.28.1","v1.29.0","v1.30.0","v1.30.1","v1.31.0","v1.32.0","v1.33.0","v1.34.0","v1.35.0","v1.36.0","v1.36.1","v1.38.0","v1.39.0","v1.39.1","v1.40.0","v1.41.0","v1.42.0","v1.43.0","v1.43.1","v1.44.0","v1.45.0","v1.46.0","v1.47.0","v1.49.0","v1.50.0","v1.50.1","v1.50.2","v1.51.0","v1.51.1","v1.51.2","v1.52.0","v1.53.0","v1.53.1","v1.53.2","v1.53.3","v1.54.0","v1.54.1","v1.55.0","v1.56.0","v1.57.0","v1.58.0","v1.58.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26277.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"}]}