GO-2024-2490

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2024-2490

Import Source

https://vuln.go.dev/ID/GO-2024-2490.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2024-2490

Aliases

Published

2024-02-13T18:23:23Z

Modified

2024-05-20T16:03:47Z

Summary

Path traversal in github.com/anchore/stereoscope

Details

It is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2024-2490"
}

References

Credits

- @wagoodman
- @joshbressers
- @nurmi

Affected packages

Go / github.com/anchore/stereoscope

Package

Name: github.com/anchore/stereoscope; View open source insights on deps.dev
Purl: pkg:golang/github.com/anchore/stereoscope

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/anchore/stereoscope/pkg/file",
            "symbols": [
                "UntarToDirectory"
            ]
        }
    ]
}