Openshift Enterprise source-to-image vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip)
Moderate severity
GitHub Reviewed
Published
Feb 6, 2023
to the GitHub Advisory Database
•
Updated Oct 2, 2023
Package
Affected versions
< 1.1.10-0.20180427153919-f5cbcbc5cc6f
Patched versions
1.1.10-0.20180427153919-f5cbcbc5cc6f
Description
Published to the GitHub Advisory Database
Feb 6, 2023
Reviewed
Feb 6, 2023
Last updated
Oct 2, 2023
Openshift Enterprise source-to-image before version 1.1.10 is vulnerable to an improper validation of user input. An attacker who could trick a user into using the command to copy files locally, from a pod, could override files outside of the target directory of the command.
Specific Go Packages Affected
github.com/openshift/source-to-image/pkg/tar
References