DEBIAN-CVE-2020-29529

DEBIAN-CVE-2020-29529 PUBLISHED CVSS 7.5 HIGH

HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:12	golang-github-hashicorp-go-slug	0, 0, 0
Debian:11	golang-github-hashicorp-go-slug	0, 0, 0

Timeline

Dec 3, 2020 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2020-29529 advisory

Open in Interactive Console →