Miggo Logo

CVE-2020-36566: tar-utils Path Traversal vulnerability

9.1

CVSS Score
3.1

Basic Information

EPSS Score
0.34429%
Published
12/28/2022
Updated
8/30/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/whyrusleeping/tar-utilsgo< 0.0.0-20201201191210-20a61371de5b0.0.0-20201201191210-20a61371de5b

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the vulnerability was patched by adding a '..' check in the outputPath function. This function's purpose is to determine extraction paths, and the lack of traversal validation before the patch directly matches the CWE-22 path traversal description. The GHSA advisory and CVE both confirm this was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u* to improp*r p*t* s*nitiz*tion, *r**iv*s *ont*inin* r*l*tiv* *il* p*t*s **n **us* *il*s to ** writt*n (or ov*rwritt*n) outsi** o* t** t*r**t *ir**tory.

Reasoning

T** *ommit *i** s*ows t** vuln*r**ility w*s p*t**** *y ***in* * '..' ****k in t** `outputP*t*` *un*tion. T*is *un*tion's purpos* is to **t*rmin* *xtr**tion p*t*s, *n* t** l**k o* tr*v*rs*l v*li**tion ***or* t** p*t** *ir**tly m*t***s t** *W*-** p*t*