Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Zarf: Symlink targets in archives are not validated against destination directory
Vulnerability Description
Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package. This issue has been patched in version 0.73.1.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Zarf 路径遍历漏洞
Vulnerability Description
Zarf是zarf-dev开源的一个Kubernetes离线环境软件交付工具。 Zarf 0.54.0至0.73.1之前版本存在路径遍历漏洞,该漏洞源于归档提取存在路径遍历问题,可能导致任意文件读写。
CVSS Information
N/A
Vulnerability Type
N/A