CVE-2020-26279: Path traversal
First published: Wed Mar 24 2021(Updated: )
go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0-rc1, it is possible for path traversal to occur with DAGs containing relative paths during retrieval. This can cause files to be overwritten, or written to incorrect output directories. The issue can only occur when a get is done on an affected DAG. This is fixed in version 0.8.0-rc1.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go-ipfs | <=0.7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-26279?
The severity of CVE-2020-26279 is considered to be moderate due to the risk of path traversal leading to file overwriting.
How do I fix CVE-2020-26279?
To fix CVE-2020-26279, upgrade to go-ipfs version 0.8.0-rc1 or later.
What is the impact of CVE-2020-26279?
The impact of CVE-2020-26279 is the potential for unauthorized file overwrites due to path traversal vulnerabilities.
Which versions of go-ipfs are affected by CVE-2020-26279?
go-ipfs versions before 0.8.0-rc1 are affected by CVE-2020-26279.
Is CVE-2020-26279 a local or remote vulnerability?
CVE-2020-26279 is primarily a local vulnerability, as it requires access to the affected system to exploit.
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/title
- agent/author
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/protocol
- canonical/go-ipfs
- version/go-ipfs/0.7.0