CVE-2020-36566: tar-utils Path Traversal vulnerability
9.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.34429%
CWE
Published
12/28/2022
Updated
8/30/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/whyrusleeping/tar-utils | go | < 0.0.0-20201201191210-20a61371de5b | 0.0.0-20201201191210-20a61371de5b |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit diff shows the vulnerability was patched by adding a '..' check in the outputPath
function. This function's purpose is to determine extraction paths, and the lack of traversal validation before the patch directly matches the CWE-22 path traversal description. The GHSA advisory and CVE both confirm this was the root cause.