Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore content store may result in directory traversal during archive extraction, allowing a malicious archive to write paths to arbitrary paths that the process can write to.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2021-0099" }