{"id":"GHSA-88jf-7rch-32qc","summary":"github.com/unknwon/cae Path Traversal vulnerability","details":"The ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading \"..\". This allows an attacker to add or replace files system-wide.","aliases":["CVE-2020-7668","GO-2020-0041"],"modified":"2023-11-08T04:04:03.732608Z","published":"2021-05-18T20:31:18Z","database_specific":{"github_reviewed_at":"2021-05-12T20:32:28Z","nvd_published_at":"2020-06-23T19:38:00Z","severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-22"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7668"},{"type":"WEB","url":"https://github.com/unknwon/cae/commit/07971c00a1bfd9dc171c3ad0bfab5b67c2287e11"},{"type":"PACKAGE","url":"https://github.com/unknwon/cae"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2020-0041"},{"type":"WEB","url":"https://snyk.io/research/zip-slip-vulnerability"},{"type":"WEB","url":"https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUNKNWONCAETZ-570384"}],"affected":[{"package":{"name":"github.com/unknwon/cae","ecosystem":"Go","purl":"pkg:golang/github.com/unknwon/cae"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.0.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-88jf-7rch-32qc/GHSA-88jf-7rch-32qc.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}