8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26312

GHSA ID

GHSA-hf54-fq2m-p9v6

EPSS Score

0.43004%

CWE

CWE-125

Published

5/14/2024

Updated

5/14/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26312

CVE-2020-26312: dotmesh arbitrary file read and/or write

Dotmesh is a git-like command-line interface for capturing, organizing and sharing application states. In versions 0.8.1 and prior, the unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder. The routine untarFile attempts to guard against creating symbolic links that point outside the directory a tar archive is extracted to. However, a malicious tarball first linking subdir/parent to .. (allowed, because subdir/.. falls within the archive root) and then linking subdir/parent/escapes to .. results in a symbolic link pointing to the tarball’s parent directory, contrary to the routine’s goals. This issue may lead to arbitrary file write (with same permissions as the program running the unpack operation) if the attacker can control the archive file. Additionally, if the attacker has read access to the unpacked files, they may be able to read arbitrary system files the parent process has permissions to read. As of time of publication, no patch for this issue is available.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26312

GHSA ID

GHSA-hf54-fq2m-p9v6

EPSS Score

0.43004%

CWE

CWE-125

Published

5/14/2024

Updated

5/14/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/dotmesh-io/dotmesh	go	<= 0.8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how untarFile handles symbolic links. While it uses filepath.Clean and checks for absolute paths, it fails to properly resolve nested relative symlink chains. The proof-of-concept demonstrates that creating a symlink to '..' within the archive root (allowed) followed by another symlink using that path as a base can escape the extraction directory. The function's validation logic in the tar.TypeSymlink case (lines 255-260 in tar.go) doesn't account for cumulative path traversal through multiple symlink layers, making it vulnerable to directory escape attacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*otm*s* is * *it-lik* *omm*n*-lin* int*r**** *or **pturin*, or**nizin* *n* s**rin* *ppli**tion st*t*s. In v*rsions *.*.* *n* prior, t** uns*** **n*lin* o* sym*oli* links in *n unp**kin* routin* m*y *n**l* *tt**k*rs to r*** *n*/or writ* to *r*itr*ry l

Reasoning

T** vuln*r**ility st*ms *rom *ow `unt*r*il*` **n*l*s sym*oli* links. W*il* it us*s `*il*p*t*.*l**n` *n* ****ks *or **solut* p*t*s, it **ils to prop*rly r*solv* n*st** r*l*tiv* symlink ***ins. T** proo*-o*-*on**pt **monstr*t*s t**t *r**tin* * symlink

8.1

Basic Information

Concerned about an active attack path?

CVE-2020-26312: dotmesh arbitrary file read and/or write

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI