CVE-2020-26279

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-26279

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26279.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-26279

Aliases

Published

2021-03-24T21:15:11.037Z

Modified

2026-03-10T21:47:46.168156Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0-rc1, it is possible for path traversal to occur with DAGs containing relative paths during retrieval. This can cause files to be overwritten, or written to incorrect output directories. The issue can only occur when a get is done on an affected DAG. This is fixed in version 0.8.0-rc1.

References

Affected packages

Git / github.com/ipfs/go-ipfs

Affected ranges

Type

GIT

Repo

https://github.com/ipfs/go-ipfs

Events

Introduced

Last affected

ea77213e31ef2b3cad81d40bf82bb9baef3ea7b6

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.7.0"
        }
    ]
}

Type
Repo: https://github.com/ipfs/kubo
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

b7ddba7fe47dee5b1760b8ffe897908417e577b2

Type
Repo: https://github.com/whyrusleeping/tar-utils
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20a61371de5b51380bbdb0c7935b30b0625ac227

Affected versions

v0.*

v0.2.2

v0.2.2-buildfails

v0.2.3

v0.2.3-buildfails

v0.3.10

v0.3.11

v0.3.11-rc1

v0.3.2

v0.3.3

v0.3.3-buildfails

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.0-rc1

v0.4.0-rc2

v0.4.0-rc3

v0.4.1

v0.4.1-rc1

v0.4.10

v0.4.10-rc1

v0.4.11

v0.4.11-rc1

v0.4.11-rc2

v0.4.12

v0.4.12-rc1

v0.4.12-rc2

v0.4.13

v0.4.13-rc1

v0.4.14

v0.4.14-rc1

v0.4.14-rc2

v0.4.14-rc3

v0.4.15

v0.4.15-rc1

v0.4.16

v0.4.16-rc1

v0.4.16-rc2

v0.4.16-rc3

v0.4.17

v0.4.17-rc1

v0.4.18

v0.4.18-rc1

v0.4.18-rc2

v0.4.19

v0.4.19-rc1

v0.4.19-rc2

v0.4.2

v0.4.20

v0.4.20-rc1

v0.4.20-rc2

v0.4.21

v0.4.21-rc1

v0.4.21-rc2

v0.4.21-rc3

v0.4.22

v0.4.22-rc1

v0.4.23

v0.4.23-rc1

v0.4.23-rc2

v0.4.3

v0.4.3-dev

v0.4.3-rc1

v0.4.3-rc2

v0.4.3-rc3

v0.4.3-rc4

v0.4.4

v0.4.5

v0.4.5-pre1

v0.4.5-pre2

v0.4.5-rc1

v0.4.5-rc2

v0.4.5-rc3

v0.4.5-rc4

v0.4.6

v0.4.6-rc1

v0.4.7

v0.4.7-rc1

v0.4.8

v0.4.8-rc1

v0.4.9

v0.4.9-rc1

v0.4.9-rc2

v0.5.0

v0.5.0-rc1

v0.5.0-rc2

v0.5.0-rc3

v0.5.0-rc4

v0.5.1

v0.6.0

v0.6.0-rc1

v0.6.0-rc2

v0.6.0-rc3

v0.6.0-rc4

v0.6.0-rc5

v0.6.0-rc6

v0.6.0-rc7

v0.7.0

v0.7.0-rc1

v0.7.0-rc2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26279.json"