Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1992 vulnerabilities reference this CWE, most recent first.

GHSA-G2X6-C7HH-8CFM

Vulnerability from github – Published: 2022-05-17 01:27 – Updated: 2022-05-17 01:27
VLAI
Details

axiom-test.sh in axiom 20100701-1.1 uses tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-1640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-01-28T00:55:00Z",
    "severity": "LOW"
  },
  "details": "axiom-test.sh in axiom 20100701-1.1 uses tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new filename, which allows local users to overwrite arbitrary files via a symlink attack on the new filename.",
  "id": "GHSA-g2x6-c7hh-8cfm",
  "modified": "2022-05-17T01:27:07Z",
  "published": "2022-05-17T01:27:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1640"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90663"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736358"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/01/22/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/01/22/4"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/102383"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G37G-6895-QW74

Vulnerability from github – Published: 2026-07-18 18:30 – Updated: 2026-07-18 18:30
VLAI
Details

A vulnerability was identified in nearai ironclaw up to 0.29.1. The affected element is the function validate_path of the file src/tools/builtin/path_utils.rs of the component write_file. The manipulation leads to link following. Local access is required to approach this attack. The exploit is publicly available and might be used. The identifier of the patch is 369ff3d240cf3c0787b50e1e9f182e1a06c71255. It is recommended to apply a patch to fix this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-16130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-18T18:16:37Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was identified in nearai ironclaw up to 0.29.1. The affected element is the function validate_path of the file src/tools/builtin/path_utils.rs of the component write_file. The manipulation leads to link following. Local access is required to approach this attack. The exploit is publicly available and might be used. The identifier of the patch is 369ff3d240cf3c0787b50e1e9f182e1a06c71255. It is recommended to apply a patch to fix this issue.",
  "id": "GHSA-g37g-6895-qw74",
  "modified": "2026-07-18T18:30:21Z",
  "published": "2026-07-18T18:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-16130"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearai/ironclaw/issues/4797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearai/ironclaw/pull/4869"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearai/ironclaw/commit/369ff3d240cf3c0787b50e1e9f182e1a06c71255"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearai/ironclaw"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-16130"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/856883"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/379848"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/379848/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G39H-563W-FG8C

Vulnerability from github – Published: 2025-11-11 00:30 – Updated: 2025-12-08 18:30
VLAI
Details

A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.19, 3.15.14, 3.16.10, 3.17.7 and 3.18.1. This vulnerability was reported via the GitHub Bug Bounty program.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-10T23:15:41Z",
    "severity": "HIGH"
  },
  "details": "A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user\u2019s authorized keys\u2014thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.19, 3.15.14, 3.16.10, 3.17.7 and 3.18.1. This vulnerability was reported via the GitHub Bug Bounty program.",
  "id": "GHSA-g39h-563w-fg8c",
  "modified": "2025-12-08T18:30:25Z",
  "published": "2025-11-11T00:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11578"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.19"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.14"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.10"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.7"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.1"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G3CJ-QPC9-PHM2

Vulnerability from github – Published: 2023-04-18 18:30 – Updated: 2024-04-04 03:32
VLAI
Details

An NTFS Junction condition exists in the Qualys Cloud Agent for Windows platform in versions before 4.8.0.31. Attackers may write files to arbitrary locations via a local attack vector. This allows attackers to assume the privileges of the process, and they may delete or otherwise on unauthorized files, allowing for the potential modification or deletion of sensitive files limited only to that specific directory/file object. This vulnerability is bounded only to the time of uninstallation and can only be exploited locally.

At the time of this disclosure, versions before 4.0 are classified as End of Life.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28141"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-18T16:15:09Z",
    "severity": "MODERATE"
  },
  "details": "\nAn NTFS Junction condition exists in the Qualys Cloud Agent\nfor Windows platform in versions before 4.8.0.31. Attackers may write files to\narbitrary locations via a local attack vector. This allows attackers to assume\nthe privileges of the process, and they may delete or otherwise on unauthorized\nfiles, allowing for the potential modification or deletion of sensitive files\nlimited only to that specific directory/file object. This vulnerability is\nbounded only to the time of uninstallation and can only be exploited locally.\n\n\n\nAt the time of this disclosure, versions before 4.0 are\nclassified as End of Life.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n",
  "id": "GHSA-g3cj-qpc9-phm2",
  "modified": "2024-04-04T03:32:08Z",
  "published": "2023-04-18T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28141"
    },
    {
      "type": "WEB",
      "url": "https://www.qualys.com/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G3QR-GJFX-RH5P

Vulnerability from github – Published: 2022-05-28 00:00 – Updated: 2022-06-09 00:00
VLAI
Details

Trend Micro Maximum Security 2022 is vulnerable to a link following vulnerability that could allow a low privileged local user to manipulate the product’s secure erase feature to delete arbitrary files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-27T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Trend Micro Maximum Security 2022 is vulnerable to a link following vulnerability that could allow a low privileged local user to manipulate the product\u2019s secure erase feature to delete arbitrary files.",
  "id": "GHSA-g3qr-gjfx-rh5p",
  "modified": "2022-06-09T00:00:21Z",
  "published": "2022-05-28T00:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30687"
    },
    {
      "type": "WEB",
      "url": "https://helpcenter.trendmicro.com/en-us/article/tmka-11017"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-789"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G44J-7VP3-68CV

Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2024-02-02 15:59
VLAI
Summary
Arbitrary File Write in Libcontainer
Details

Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape containerization ("mount namespace breakout") and write to arbitrary file on the host system via a symlink attack in an image when respawning a container.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/docker/docker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-3629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-19T22:08:41Z",
    "nvd_published_at": "2015-05-18T15:59:15Z",
    "severity": "HIGH"
  },
  "details": "Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape containerization (\"mount namespace breakout\") and write to arbitrary file on the host system via a symlink attack in an image when respawning a container.",
  "id": "GHSA-g44j-7vp3-68cv",
  "modified": "2024-02-02T15:59:34Z",
  "published": "2022-02-15T01:57:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3629"
    },
    {
      "type": "WEB",
      "url": "https://github.com/docker/docker/commit/d5ebb60bddbabea0439213501f4f6ed494b23cba"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!searchin/docker-user/1.6.1/docker-user/47GZrihtr-4/nwgeOOFLexIJ"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#%21searchin/docker-user/1.6.1/docker-user/47GZrihtr-4/nwgeOOFLexIJ"
    },
    {
      "type": "WEB",
      "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3629"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-05/msg00023.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/131835/Docker-Privilege-Escalation-Information-Disclosure.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2015/May/28"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/74558"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Arbitrary File Write in Libcontainer"
}

GHSA-G47J-994J-JC39

Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2023-01-31 18:30
VLAI
Details

ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-04T14:15:00Z",
    "severity": "LOW"
  },
  "details": "ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems.",
  "id": "GHSA-g47j-994j-jc39",
  "modified": "2023-01-31T18:30:23Z",
  "published": "2022-05-24T17:24:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6012"
    },
    {
      "type": "WEB",
      "url": "https://danishcyberdefence.dk/blog/zonealarm-check-point"
    },
    {
      "type": "WEB",
      "url": "https://www.zonealarm.com/anti-ransomware/release-history"
    },
    {
      "type": "WEB",
      "url": "https://www.zonealarm.com/software/extreme-security/release-history"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G555-PCG3-V642

Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53
VLAI
Details

tkman in tkman 2.2 allows local users to overwrite arbitrary files via a symlink attack on a (1) /tmp/tkman##### or (2) /tmp/ll temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-18T16:00:00Z",
    "severity": "MODERATE"
  },
  "details": "tkman in tkman 2.2 allows local users to overwrite arbitrary files via a symlink attack on a (1) /tmp/tkman##### or (2) /tmp/ll temporary file.",
  "id": "GHSA-g555-pcg3-v642",
  "modified": "2022-05-17T05:53:11Z",
  "published": "2022-05-17T05:53:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5137"
    },
    {
      "type": "WEB",
      "url": "http://lists.debian.org/debian-devel/2008/08/msg00285.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32407"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G5JP-8PCQ-GG3C

Vulnerability from github – Published: 2022-05-17 05:45 – Updated: 2022-05-17 05:45
VLAI
Details

mailscanner 4.55.10 and other versions before 4.74.16-1 might allow local users to overwrite arbitrary files via a symlink attack on certain temporary files used by the (1) f-prot-autoupdate, (2) clamav-autoupdate, (3) panda-autoupdate.new, (4) trend-autoupdate.new, and (5) rav-autoupdate.new scripts in /etc/MailScanner/autoupdate/, a different vulnerability than CVE-2008-5140.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-12-03T17:30:00Z",
    "severity": "MODERATE"
  },
  "details": "mailscanner 4.55.10 and other versions before 4.74.16-1 might allow local users to overwrite arbitrary files via a symlink attack on certain temporary files used by the (1) f-prot-autoupdate, (2) clamav-autoupdate, (3) panda-autoupdate.new, (4) trend-autoupdate.new, and (5) rav-autoupdate.new scripts in /etc/MailScanner/autoupdate/, a different vulnerability than CVE-2008-5140.",
  "id": "GHSA-g5jp-8pcq-gg3c",
  "modified": "2022-05-17T05:45:03Z",
  "published": "2022-05-17T05:45:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5312"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353#44"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/33117"
    },
    {
      "type": "WEB",
      "url": "http://www.mailscanner.info/ChangeLog"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/11/29/1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32557"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G5V4-5X39-VWHX

Vulnerability from github – Published: 2022-02-15 00:32 – Updated: 2022-10-25 20:26
VLAI
Summary
Zip slip directory exploit in github.com/deislabs/oras
Details

Impact

The directory support (#55) allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links.

A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs oras pull.

Precisely, the following users of the affected versions are impacted - oras CLI users who runs oras pull. - Go programs, which invokes github.com/deislabs/oras/pkg/content.FileStore.

Patches

The problem has been patched by the PR linked with this advisory. Users should upgrade their oras CLI and packages to 0.9.0.

Workarounds

For oras CLI users, there is no workarounds other than pulling from a trusted artifact provider.

For oras package users, the workaround is to not use github.com/deislabs/oras/pkg/content.FileStore, and use other content stores instead, or pull from a trusted artifact provider.

References

For more information

If you have any questions or comments about this advisory: * Open an issue on the GitHub repo * Email the list of maintainers

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/deislabs/oras"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-21T14:42:50Z",
    "nvd_published_at": "2021-01-25T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe directory support (#55) allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links.\n\nA well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. \n\nPrecisely, the following users of the affected versions are impacted\n- `oras` CLI users who runs `oras pull`.\n- Go programs, which invokes `github.com/deislabs/oras/pkg/content.FileStore`.\n\n### Patches\nThe problem has been patched by the PR linked with this advisory. Users should upgrade their `oras` CLI and packages to `0.9.0`.\n\n### Workarounds\nFor `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider.\n\nFor `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider.\n\n### References\n- [Zip Slip](https://github.com/snyk/zip-slip-vulnerability)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue on the [GitHub repo](https://github.com/deislabs/oras)\n* Email the [list of maintainers](https://github.com/deislabs/oras/blob/main/MAINTAINERS)",
  "id": "GHSA-g5v4-5x39-vwhx",
  "modified": "2022-10-25T20:26:42Z",
  "published": "2022-02-15T00:32:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21272"
    },
    {
      "type": "WEB",
      "url": "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/deislabs/oras"
    },
    {
      "type": "WEB",
      "url": "https://github.com/deislabs/oras/releases/tag/v0.9.0"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/github.com/deislabs/oras/pkg/oras"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2021-0099"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zip slip directory exploit in github.com/deislabs/oras"
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.