Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory.
Moderate severity
GitHub Reviewed
Published
Oct 11, 2024
in
codeclysm/extract
•
Updated Oct 11, 2024
Description
Published by the National Vulnerability Database
Oct 11, 2024
Published to the GitHub Advisory Database
Oct 11, 2024
Reviewed
Oct 11, 2024
Last updated
Oct 11, 2024
Impact
A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory.
Patches
Please use version 4.0.0 or later
github.com/codeclysm/extract/v4
. Any previous version is affected by the bug.Workarounds
No knows workarounds.
Backward compatibility notes about upgrading to
/v4
from/v3
If you're not using the
extract.Extractor.FS
interface, you will not face any breaking changes and upgrading should be as simple as changing the import to/v4
. This should be the case for most of the userbase.If you're using the
Extractor.FS
interface, then upgrading to/v4
will require to implement the new methods that have been added:There should be no other breaking changes in the
/v4
API.References