CVE-2020-7667 — Arbitrary File Write via Archive Extraction (Zip Slip) in github.com/sassoftware

Description

Due to improper path sanitization, RPMs containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

How to fix CVE-2020-7667

To remediate CVE-2020-7667, upgrade the affected package to a fixed version below.

Go/github.com/sassoftware/go-rpmutils—upgrade to 0.1.0 or later
—upgrade to 0.1.0 or later

Is CVE-2020-7667 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.1.0
from 0, < 0.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-7667
PATCHgithub.com/sassoftware/go-rpmutils
WEBgithub.com/sassoftware/go-rpmutils/commit/a64058cf21b8aada501bba923c9aab66fb6febf0
WEBpkg.go.dev/vuln/GO-2020-0042
WEB