7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26279

GHSA ID

GHSA-27pv-q55r-222g

EPSS Score

0.82017%

CWE

CWE-22

Published

6/23/2021

Updated

1/9/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26279

CVE-2020-26279: Path traversal in github.com/ipfs/go-ipfs

Impact

It is currently possible for path traversal to occur with DAGs containing relative paths during retrieval. This can cause files to be overwritten, or written to incorrect output directories. The issue can only occur when ipfs get is done on an affected DAG.

The only affected command is ipfs get.
The gateway is not affected.

Patches

Traversal fix patched in https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227 tar-utils patch applied to go-ipfs via https://github.com/ipfs/go-ipfs/commit/b7ddba7fe47dee5b1760b8ffe897908417e577b2

Workarounds

Upgrade to go-ipfs 0.8 or later.

References

Binaries for the patched versions of go-ipfs are available on the IPFS distributions site, https://dist.ipfs.io/go-ipfs

For more information

If you have any questions or comments about this advisory:

Open an issue in go-ipfs
Email us at security@ipfs.io

(GitHub Advisory)

7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26279

GHSA ID

GHSA-27pv-q55r-222g

EPSS Score

0.82017%

CWE

CWE-22

Published

6/23/2021

Updated

1/9/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/ipfs/go-ipfs	go	< 0.8.0	0.8.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was patched in whyrusleeping/tar-utils@20a6137 by adding explicit checks for '..' path components in the outputPath function. The commit diff shows the vulnerable version lacked these checks, allowing malicious tar entries to write files outside the target directory. Since the CVE specifically mentions path traversal during DAG retrieval via 'ipfs get', and the patch was applied to this utility function used by go-ipfs for tar extraction, this is the clear vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It is *urr*ntly possi*l* *or p*t* tr*v*rs*l to o**ur wit* ***s *ont*inin* r*l*tiv* p*t*s *urin* r*tri*v*l. T*is **n **us* *il*s to ** ov*rwritt*n, or writt*n to in*orr**t output *ir**tori*s. T** issu* **n only o**ur w**n `ip*s **t` is *on*

Reasoning

T** vuln*r**ility w*s p*t**** in `w*yrusl**pin*/t*r-utils@*******` *y ***in* *xpli*it ****ks *or '..' p*t* *ompon*nts in t** `outputP*t*` *un*tion. T** *ommit *i** s*ows t** vuln*r**l* v*rsion l**k** t**s* ****ks, *llowin* m*li*ious t*r *ntri*s to wr

7.7

Basic Information

Concerned about an active attack path?

CVE-2020-26279: Path traversal in github.com/ipfs/go-ipfs

Impact

Patches

Workarounds

References

For more information

7.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI