CVE-2024-47877

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-47877

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47877.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-47877

Aliases

Downstream

SUSE-SU-2024:3911-1

openSUSE-SU-2024:0350-1

openSUSE-SU-2024:14447-1

Related

Published

2024-10-11T16:36:29Z

Modified

2025-10-15T14:55:20.762738Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory.

Details

Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then upgrading to /v4 will require to implement the new methods that have been added.

References

Affected packages

Git / github.com/codeclysm/extract

Affected ranges

Type: GIT
Repo: https://github.com/codeclysm/extract
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

eaeff3236ebe82039553f39bc285ee5c79caae3c

Affected versions

Other

v1

v1.*

v1.0.1

v1.1.0

v1.1.1

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.2.0

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.1.0

v3.1.1

Git / github.com/codeclysm/extract

Affected ranges

Type: GIT
Repo: https://github.com/codeclysm/extract
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

eaeff3236ebe82039553f39bc285ee5c79caae3c

Affected versions

Other

v1

v1.*

v1.0.1

v1.1.0

v1.1.1

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.2.0

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.1.0

v3.1.1