Jaredallard Archives Go Library Path Traversal Vulnerability Leading to Arbitrary File Modification and Remote Code Execution

A path traversal vulnerability has been identified in the Jaredallard Archives Go library, specifically in version 1.0.0. This vulnerability allows a malicious user to manipulate archive file paths, potentially leading to arbitrary file modifications or remote code execution. The impact of this vulnerability varies based on the user's permissions and environment. For instance, running the library as root on a production system could result in severe consequences, whereas a non-root user in a read-only container might experience little to no impact.

Impact

Exploitation of this vulnerability could result in unauthorized file modifications or remote code execution, depending on the context in which the library is used.

Reproduction

The vulnerability can be reproduced by creating a specially crafted archive that exploits the path traversal flaw. This archive can then be processed by the Archives library version 1.0.0. The 'zip-slip' vulnerability, which involves manipulating file paths to traverse directories, can be used as a reference for crafting such an archive.

Remediation

Users are advised to upgrade to Archives library version 1.0.1 or later, where this vulnerability has been patched. If an immediate upgrade is not possible, manually validating archives before submission to the library can serve as a temporary workaround.