Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for go-slug by hashicorp

    CVE-2025-0377 (GCVE-0-2025-0377)

    Vulnerability from nvd – Published: 2025-01-21 15:23 – Updated: 2025-02-12 20:41
    VLAI
    Title
    HashiCorp go-slug Vulnerable to Zip Slip Attack
    Summary
    HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access (Link Following)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Shared library Affected: 0 , < 0.16.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0377",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-21T15:57:06.387281Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:20.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Shared library",
              "repo": "https://github.com/hashicorp/go-slug",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "0.16.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp\u2019s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp\u2019s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126: Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-21T15:23:53.104Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack"
            }
          ],
          "source": {
            "advisory": "HCSEC-2025-01",
            "discovery": "EXTERNAL"
          },
          "title": "HashiCorp go-slug Vulnerable to Zip Slip Attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2025-0377",
        "datePublished": "2025-01-21T15:23:53.104Z",
        "dateReserved": "2025-01-10T14:21:11.221Z",
        "dateUpdated": "2025-02-12T20:41:20.897Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-29529 (GCVE-0-2020-29529)

    Vulnerability from nvd – Published: 2020-12-03 19:04 – Updated: 2024-08-04 16:55
    VLAI
    Summary
    HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:55:10.521Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hashicorp/go-slug/releases/tag/v0.5.0"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hashicorp/go-slug/pull/12"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-22T01:17:23.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hashicorp/go-slug/releases/tag/v0.5.0"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hashicorp/go-slug/pull/12"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-29529",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/hashicorp/go-slug/releases/tag/v0.5.0",
                  "refsource": "MISC",
                  "url": "https://github.com/hashicorp/go-slug/releases/tag/v0.5.0"
                },
                {
                  "name": "https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0",
                  "refsource": "MISC",
                  "url": "https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0"
                },
                {
                  "name": "https://github.com/hashicorp/go-slug/pull/12",
                  "refsource": "MISC",
                  "url": "https://github.com/hashicorp/go-slug/pull/12"
                },
                {
                  "name": "https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug",
                  "refsource": "MISC",
                  "url": "https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-29529",
        "datePublished": "2020-12-03T19:04:50.000Z",
        "dateReserved": "2020-12-03T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:55:10.521Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-0377 (GCVE-0-2025-0377)

    Vulnerability from cvelistv5 – Published: 2025-01-21 15:23 – Updated: 2025-02-12 20:41
    VLAI
    Title
    HashiCorp go-slug Vulnerable to Zip Slip Attack
    Summary
    HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access (Link Following)
    Assigner
    Impacted products
    Vendor Product Version
    HashiCorp Shared library Affected: 0 , < 0.16.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0377",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-21T15:57:06.387281Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:20.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "64 bit",
                "32 bit",
                "x86",
                "ARM",
                "MacOS",
                "Windows",
                "Linux"
              ],
              "product": "Shared library",
              "repo": "https://github.com/hashicorp/go-slug",
              "vendor": "HashiCorp",
              "versions": [
                {
                  "lessThan": "0.16.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHashiCorp\u2019s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.\u003c/p\u003e\u003cbr/\u003e"
                }
              ],
              "value": "HashiCorp\u2019s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126: Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (Link Following)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-21T15:23:53.104Z",
            "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
            "shortName": "HashiCorp"
          },
          "references": [
            {
              "url": "https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack"
            }
          ],
          "source": {
            "advisory": "HCSEC-2025-01",
            "discovery": "EXTERNAL"
          },
          "title": "HashiCorp go-slug Vulnerable to Zip Slip Attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "assignerShortName": "HashiCorp",
        "cveId": "CVE-2025-0377",
        "datePublished": "2025-01-21T15:23:53.104Z",
        "dateReserved": "2025-01-10T14:21:11.221Z",
        "dateUpdated": "2025-02-12T20:41:20.897Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-29529 (GCVE-0-2020-29529)

    Vulnerability from cvelistv5 – Published: 2020-12-03 19:04 – Updated: 2024-08-04 16:55
    VLAI
    Summary
    HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:55:10.521Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hashicorp/go-slug/releases/tag/v0.5.0"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hashicorp/go-slug/pull/12"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-22T01:17:23.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hashicorp/go-slug/releases/tag/v0.5.0"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hashicorp/go-slug/pull/12"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-29529",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/hashicorp/go-slug/releases/tag/v0.5.0",
                  "refsource": "MISC",
                  "url": "https://github.com/hashicorp/go-slug/releases/tag/v0.5.0"
                },
                {
                  "name": "https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0",
                  "refsource": "MISC",
                  "url": "https://github.com/hashicorp/go-slug/compare/v0.4.3...v0.5.0"
                },
                {
                  "name": "https://github.com/hashicorp/go-slug/pull/12",
                  "refsource": "MISC",
                  "url": "https://github.com/hashicorp/go-slug/pull/12"
                },
                {
                  "name": "https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug",
                  "refsource": "MISC",
                  "url": "https://securitylab.github.com/advisories/GHSL-2020-262-zipslip-go-slug"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-29529",
        "datePublished": "2020-12-03T19:04:50.000Z",
        "dateReserved": "2020-12-03T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:55:10.521Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }