CVE-2021-21272 – zip slip in ORAS

https://notcve.org/view.php?id=CVE-2021-21272

25 Jan 2021 — ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linkin... • https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •