CVE-2024-47877 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-47877

CVE-2024-47877

October 11, 2024

Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then upgrading to /v4 will require to implement the new methods that have been added.

Related Resources (4)

https://github.com/codeclysm/extract

https://github.com/codeclysm/extract/security/advisories/GHSA-8rm2-93mq-jqhc

https://nvd.nist.gov/vuln/detail/CVE-2024-47877

https://github.com/codeclysm/extract/commit/4a98568021b8e289345c7f526ccbd7ed732cf286

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Weakness Type (CWE)

UNIX Symbolic Link (Symlink) Following

CWE-61

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

EPSS

Base Score:

0.60

Products

Solutions

Resources

Company

Compare

Developer Tools