{"id":"GO-2021-0099","summary":"Zip slip directory exploit in github.com/deislabs/oras","details":"Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore content store may result in directory traversal during archive extraction, allowing a malicious archive to write paths to arbitrary paths that the process can write to.","aliases":["BIT-oras-2021-21272","CVE-2021-21272","GHSA-g5v4-5x39-vwhx"],"modified":"2026-03-17T04:05:46.990704Z","published":"2021-04-14T20:04:52Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0099","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e"}],"affected":[{"package":{"name":"github.com/deislabs/oras","ecosystem":"Go","purl":"pkg:golang/github.com/deislabs/oras"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.9.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/deislabs/oras/pkg/content","symbols":["extractTarDirectory","fileWriter.Commit"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0099.json"}}],"schema_version":"1.7.5","credits":[{"name":"Chris Smowton"}]}