Miggo Logo

CVE-2020-26279: Path traversal in github.com/ipfs/go-ipfs

7.7

CVSS Score
3.1

Basic Information

EPSS Score
0.82017%
Published
6/23/2021
Updated
1/9/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/ipfs/go-ipfsgo< 0.8.00.8.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was patched in whyrusleeping/tar-utils@20a6137 by adding explicit checks for '..' path components in the outputPath function. The commit diff shows the vulnerable version lacked these checks, allowing malicious tar entries to write files outside the target directory. Since the CVE specifically mentions path traversal during DAG retrieval via 'ipfs get', and the patch was applied to this utility function used by go-ipfs for tar extraction, this is the clear vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It is *urr*ntly possi*l* *or p*t* tr*v*rs*l to o**ur wit* ***s *ont*inin* r*l*tiv* p*t*s *urin* r*tri*v*l. T*is **n **us* *il*s to ** ov*rwritt*n, or writt*n to in*orr**t output *ir**tori*s. T** issu* **n only o**ur w**n `ip*s **t` is *on*

Reasoning

T** vuln*r**ility w*s p*t**** in `w*yrusl**pin*/t*r-utils@*******` *y ***in* *xpli*it ****ks *or '..' p*t* *ompon*nts in t** `outputP*t*` *un*tion. T** *ommit *i** s*ows t** vuln*r**l* v*rsion l**k** t**s* ****ks, *llowin* m*li*ious t*r *ntri*s to wr