HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
"}],"value":"HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry."}],"impacts":[{"capecId":"CAPEC-126","descriptions":[{"lang":"en","value":"CAPEC-126: Path Traversal"}]}],"metrics":[{"cvssV3_1":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-59","description":"CWE-59: Improper Link Resolution Before File Access (Link Following)","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"67fedba0-ff2e-4543-ba5b-aa93e87718cc","shortName":"HashiCorp","dateUpdated":"2025-01-21T15:23:53.104Z"},"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack"}],"source":{"advisory":"HCSEC-2025-01","discovery":"EXTERNAL"},"title":"HashiCorp go-slug Vulnerable to Zip Slip Attack"},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-0377","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2025-01-21T15:57:06.387281Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-12T20:41:20.897Z"}}]}}