Vulnerabilites related to codeclysm - extract
Vulnerability from fkie_nvd
Published
2024-10-11 17:15
Modified
2024-11-22 19:30
Severity ?
Summary
Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then upgrading to /v4 will require to implement the new methods that have been added.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:codeclysm:extract:*:*:*:*:*:go:*:*", matchCriteriaId: "7BF5AF68-84C2-4A0A-AE54-B0D32AB2EFCB", versionEndExcluding: "4.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then upgrading to /v4 will require to implement the new methods that have been added.", }, { lang: "es", value: "Extract es una librería Go para extraer archivos en formato zip, tar.gz o tar.bz2. Un archivo manipulado con fines malintencionados puede permitir a un atacante crear un enlace simbólico fuera del directorio de destino de la extracción. Esta vulnerabilidad se ha corregido en la versión 4.0.0. Si utiliza la interfaz Extractor.FS, la actualización a /v4 requerirá la implementación de los nuevos métodos que se han añadido.", }, ], id: "CVE-2024-47877", lastModified: "2024-11-22T19:30:48.913", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], cvssMetricV40: [ { cvssData: { Automatable: "NOT_DEFINED", Recovery: "NOT_DEFINED", Safety: "NOT_DEFINED", attackComplexity: "LOW", attackRequirements: "NONE", attackVector: "NETWORK", availabilityRequirement: "NOT_DEFINED", baseScore: 6.9, baseSeverity: "MEDIUM", confidentialityRequirement: "NOT_DEFINED", exploitMaturity: "NOT_DEFINED", integrityRequirement: "NOT_DEFINED", modifiedAttackComplexity: "NOT_DEFINED", modifiedAttackRequirements: "NOT_DEFINED", modifiedAttackVector: "NOT_DEFINED", modifiedPrivilegesRequired: "NOT_DEFINED", modifiedSubAvailabilityImpact: "NOT_DEFINED", modifiedSubConfidentialityImpact: "NOT_DEFINED", modifiedSubIntegrityImpact: "NOT_DEFINED", modifiedUserInteraction: "NOT_DEFINED", modifiedVulnAvailabilityImpact: "NOT_DEFINED", modifiedVulnConfidentialityImpact: "NOT_DEFINED", modifiedVulnIntegrityImpact: "NOT_DEFINED", privilegesRequired: "NONE", providerUrgency: "NOT_DEFINED", subAvailabilityImpact: "NONE", subConfidentialityImpact: "NONE", subIntegrityImpact: "NONE", userInteraction: "NONE", valueDensity: "NOT_DEFINED", vectorString: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", version: "4.0", vulnAvailabilityImpact: "NONE", vulnConfidentialityImpact: "NONE", vulnIntegrityImpact: "LOW", vulnerabilityResponseEffort: "NOT_DEFINED", }, source: "security-advisories@github.com", type: "Secondary", }, ], }, published: "2024-10-11T17:15:04.450", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/codeclysm/extract/commit/4a98568021b8e289345c7f526ccbd7ed732cf286", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/codeclysm/extract/security/advisories/GHSA-8rm2-93mq-jqhc", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, { lang: "en", value: "CWE-61", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
CVE-2024-47877 (GCVE-0-2024-47877)
Vulnerability from cvelistv5
Published
2024-10-11 16:36
Modified
2024-10-11 17:49
Severity ?
EPSS score ?
Summary
Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then upgrading to /v4 will require to implement the new methods that have been added.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/codeclysm/extract/security/advisories/GHSA-8rm2-93mq-jqhc | x_refsource_CONFIRM | |
| https://github.com/codeclysm/extract/commit/4a98568021b8e289345c7f526ccbd7ed732cf286 | x_refsource_MISC |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:codeclysm:extract:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "extract", vendor: "codeclysm", versions: [ { lessThan: "4.0.0", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-47877", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-11T17:43:37.934098Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-11T17:49:34.466Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "extract", vendor: "codeclysm", versions: [ { status: "affected", version: "< 4.0.0", }, ], }, ], descriptions: [ { lang: "en", value: "Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then upgrading to /v4 will require to implement the new methods that have been added.", }, ], metrics: [ { cvssV4_0: { attackComplexity: "LOW", attackRequirements: "NONE", attackVector: "NETWORK", baseScore: 6.9, baseSeverity: "MEDIUM", privilegesRequired: "NONE", subAvailabilityImpact: "NONE", subConfidentialityImpact: "NONE", subIntegrityImpact: "NONE", userInteraction: "NONE", vectorString: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", version: "4.0", vulnAvailabilityImpact: "NONE", vulnConfidentialityImpact: "NONE", vulnIntegrityImpact: "LOW", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-61", description: "CWE-61: UNIX Symbolic Link (Symlink) Following", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-10-11T16:36:29.763Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/codeclysm/extract/security/advisories/GHSA-8rm2-93mq-jqhc", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/codeclysm/extract/security/advisories/GHSA-8rm2-93mq-jqhc", }, { name: "https://github.com/codeclysm/extract/commit/4a98568021b8e289345c7f526ccbd7ed732cf286", tags: [ "x_refsource_MISC", ], url: "https://github.com/codeclysm/extract/commit/4a98568021b8e289345c7f526ccbd7ed732cf286", }, ], source: { advisory: "GHSA-8rm2-93mq-jqhc", discovery: "UNKNOWN", }, title: "Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory.", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-47877", datePublished: "2024-10-11T16:36:29.763Z", dateReserved: "2024-10-04T16:00:09.630Z", dateUpdated: "2024-10-11T17:49:34.466Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }