High severity7.5NVD Advisory· Published Jun 24, 2020· Updated Jun 17, 2026
CVE-2020-7667
CVE-2020-7667
Description
In package github.com/sassoftware/go-rpmutils/cpio before version 0.1.0, the CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading ".." which leads in file extraction outside of the current directory. Note: the fixing commit was applied to all affected versions which were re-released.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sassoftware/go-rpmutilsGo | < 0.1.0 | 0.1.0 |
Affected products
2- github.com/sassoftware/go-rpmutils/cpiodescription
Patches
Vulnerability mechanics
References
6- github.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0nvdPatchThird Party AdvisoryWEB
- snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSASSOFTWAREGORPMUTILSCPIO-570427nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-9423-6c93-gpp8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7667ghsaADVISORY
- pkg.go.dev/vuln/GO-2020-0042ghsaWEB
- snyk.io/research/zip-slip-vulnerabilityghsaWEB
News mentions
0No linked articles in our index yet.