Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
astral-tokio-tar has a path traversal in tar extraction
Vulnerability Description
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it. These behaviors could be used individually or combined to bypass the intended security control of limiting extraction to the given directory. This in turn would allow an attacker with a malicious tar archive to perform an arbitrary file write and potentially pivot into code execution. This issue has been patched in version 0.5.4. There is no workaround other than upgrading.
CVSS Information
N/A
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
astral-tokio-tar 安全漏洞
Vulnerability Description
astral-tokio-tar是Astral开源的一个Rust库。 astral-tokio-tar 0.5.3及之前版本存在安全漏洞,该漏洞源于Entry_unpack_in_raw API存在路径遍历问题,且Entry_allow_external_symlinks控制可被绕过,可能导致任意文件写入和代码执行。
CVSS Information
N/A
Vulnerability Type
N/A