CVE-2020-36560: 
vulnerability analysis and mitigation

CVE-2020-36560 affects the go-unzip project, a Go-based archive extraction library. The vulnerability was discovered and disclosed in March 2020, impacting all versions before v1.0.0. The vulnerability stems from improper path sanitization when extracting files from archives, which could allow malicious archives containing relative file paths to write or overwrite files outside of the intended target directory (NVD, Go Vuln DB).

The vulnerability is a directory traversal issue (CWE-22) caused by insufficient validation of file paths during archive extraction. When extracting files from an archive, the code fails to properly sanitize paths containing '../' sequences, allowing files to be written outside the target directory. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (NVD).

The vulnerability can be exploited to write or overwrite files outside of the intended extraction directory, potentially leading to arbitrary file writes on the system. This could allow an attacker to overwrite executable files, configuration files, or other sensitive resources, potentially leading to remote command execution on the affected system (Snyk Research).

The vulnerability was fixed in version 1.0.0 of go-unzip by adding proper path sanitization checks. The fix involves validating file paths before extraction to ensure they don't escape the target directory. Users should upgrade to version 1.0.0 or later. The fix specifically adds validation to check if the final path has a prefix matching the intended destination directory (GitHub Commit).