x/vulndb: potential Go vuln in github.com/u-root/u-root: CVE-2020-7666

[tatianab]

CVE-2020-7666 references github.com/u-root/u-root, which may be a Go module.

Description:
This affects all versions of package github.com/u-root/u-root/pkg/cpio. It is vulnerable to leading, non-leading relative path traversal attacks and symlink based (relative and absolute) path traversal attacks in cpio file extraction.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-7666
• fix: Remediate zipslip u-root/u-root#1817
• web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUROOTUROOTPKGCPIO-570440
• Imported by: https://pkg.go.dev/github.com/u-root/u-root?tab=importedby

Cross references:

• Module github.com/u-root/u-root appears in issue x/vulndb: potential Go vuln in github.com/u-root/u-root: GHSA-58pf-pcwv-qg85 #793 NOT_IMPORTABLE
• Module github.com/u-root/u-root appears in issue x/vulndb: potential Go vuln in github.com/u-root/u-root/pkg/tarutil: GHSA-75qf-wgfj-v652 #805 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/u-root/u-root
      vulnerable_at: 0.11.0
      packages:
        - package: github.com/u-root/u-root/pkg/cpio
cves:
    - CVE-2020-7666
credits:
    - Georgios Gkitsas of Snyk Security Team
references:
    - fix: https://github.com/u-root/u-root/pull/1817
    - web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUROOTUROOTPKGCPIO-570440

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports