Login Sign Up

CVE-2020-29529

7.5 HIGH

📋 TL;DR

This vulnerability in HashiCorp go-slug allows attackers to bypass directory traversal protections when unpacking tar archives using specially crafted symlinks. This could enable writing files outside the intended extraction directory, potentially leading to arbitrary file write or code execution. Anyone using go-slug versions up to 0.4.3 for tar archive processing is affected.

💻 Affected Systems

Products:
  • HashiCorp go-slug
Versions: All versions up to and including 0.4.3
Operating Systems: All platforms where go-slug is used
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects tar archive unpacking functionality; zip archives are not affected

📦 What is this software?

Go Slug by Hashicorp

View all CVEs affecting Go Slug →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary file write leading to remote code execution, system compromise, or data exfiltration

🟠

Likely Case

Arbitrary file write allowing file tampering, privilege escalation, or denial of service

🟢

If Mitigated

Limited to file writes within restricted directories if proper sandboxing exists

🌐 Internet-Facing: MEDIUM - Requires tar archive upload capability, but exploitation is straightforward
🏢 Internal Only: MEDIUM - Internal systems processing untrusted tar archives remain vulnerable

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires ability to provide malicious tar archives; GitHub Security Lab published detailed advisory with exploitation details

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.0

Vendor Advisory: https://github.com/hashicorp/go-slug/releases/tag/v0.5.0

Restart Required: No

Instructions:

1. Update go-slug dependency to version 0.5.0 or later in your Go project. 2. Run 'go get github.com/hashicorp/go-slug@v0.5.0'. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Validate tar archives before processing

all

Implement pre-processing validation to reject archives containing symlinks or suspicious paths

Use sandboxed extraction directory

all

Extract archives to isolated, temporary directories with restricted permissions

🧯 If You Can't Patch

  • Disable tar archive processing functionality entirely
  • Implement strict input validation and sanitization for all archive uploads

🔍 How to Verify

Check if Vulnerable:

Check your go.mod file for 'github.com/hashicorp/go-slug' version; if version is <=0.4.3, you are vulnerable

Check Version:

grep 'hashicorp/go-slug' go.mod

Verify Fix Applied:

Verify go.mod contains 'github.com/hashicorp/go-slug v0.5.0' or later

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file writes outside extraction directories
  • Multiple symlink creation attempts in tar archives
  • Permission errors for files outside expected paths

Network Indicators:

  • Large or unusual tar archive uploads to vulnerable endpoints

SIEM Query:

source="application_logs" AND ("symlink" OR "directory traversal" OR "../") AND process="your_application_name"

📊 Metadata

CVE ID: CVE-2020-29529
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: December 3, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29529, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)