CVE-2020-7665
📋 TL;DR
This vulnerability in the u-root uzip package allows attackers to perform path traversal attacks during zip file extraction, potentially writing files outside the intended directory. All versions of the package are affected. This impacts any application using this Go package for zip extraction.
💻 Affected Systems
- github.com/u-root/u-root/pkg/uzip
📦 What is this software?
U Root by U Root
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary file write leading to remote code execution, system compromise, or data destruction by overwriting critical system files.
Likely Case
Arbitrary file write to sensitive locations, potentially enabling privilege escalation or data exfiltration.
If Mitigated
Limited impact if extraction occurs in sandboxed environments with restricted file system permissions.
🎯 Exploit Status
Exploitation requires the ability to provide a malicious zip file to the vulnerable extraction function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 7b5f7b9 and later versions
Vendor Advisory: https://github.com/u-root/u-root/pull/1817
Restart Required: No
Instructions:
1. Update Go dependencies: go get -u github.com/u-root/u-root/pkg/uzip
2. Rebuild and redeploy affected applications
3. Verify the fix by checking for the security patch in your version
🔧 Temporary Workarounds
Input validation and sanitization
allImplement custom validation to reject zip files with path traversal attempts before extraction
Sandboxed extraction
linuxExtract zip files in isolated containers or chroot environments with restricted permissions
🧯 If You Can't Patch
- Implement strict file permission controls on extraction directories
- Monitor file system writes for suspicious patterns and implement file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check if your Go application imports github.com/u-root/u-root/pkg/uzip and review versionCheck Version:
go list -m github.com/u-root/u-rootVerify Fix Applied:
Verify your application uses a version after the fix commit 7b5f7b9📡 Detection & Monitoring
Log Indicators:
- Unusual file write patterns outside expected directories
- Failed file write attempts to protected system paths
Network Indicators:
- Large or suspicious zip file uploads to affected services
SIEM Query:
source="application_logs" AND ("uzip" OR "zip extraction") AND ("permission denied" OR "access denied")