CVE-2020-26277

CVE-2020-26277 is a medium-severity security vulnerability in github.com/datacharmer/dbdeployer (go), affecting versions < 1.58.2. It is fixed in 1.58.2.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations in dbdeployer

Mitigating factors

For the attach to succeed, the following factors need to contribute:

  • The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user.
  • The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved through dbdeployer, the checksum is compared before attempting to unpack.

Analysis

An attacker could inject a symbolic link into the tarball, so that a file could result into fake_file -> /etc/passwd or some equally important file.
As it is now, dbdeployer would create the symlink as defined, with a local file fake_file linked to /etc/passwd. The danger here is that any process with the privileges to write to both fake_file and /etc/passwd could overwrite the system file. Even without malicious intent, this could result in the system to become unusable.
As noted above, the user must have write privileges to the target file to do the damage.

Remedies

It has been suggested that the extract procedure use filepath.EvalSymlinks to determine whether the target is within the extraction directory. Unfortunately, this approach is unavailable in this context, because it would prevent legitimate patterns from being carried out.
A simple case is a file mysql-8.0.22-macos10.15-x86_64/bin/libprotobuf-lite.3.11.4.dylib with a linkName ../lib/libprotobuf-lite.3.11.4.dylib, if the linked file has not been created yet, filepath.EvalSymlinks would fail, as it acts on existing files only.

An alternative method is comparing the depth (how many directories) of the file name with the depth of the link name. If the link name has a higher depth than the local file, we block the operation with an appropriate error:

Unpacking tarball exploit/mysql-8.0.22-macos10.15-x86_64.tar.gz to $HOME/opt/mysql/test8.0.22
......
link '../../../../../../../../../../etc' points outside target directory

exit status 1

As an additional fortifier, we can check whether the link points to an existing file, calculate its absolute name, and compare it with the absolute name of the extraction directory. A link to a full path (such as /etc/passwd) would fail this test, and trigger an error.

The same check can be applied to a link to a non existing file with absolute path.

Patched in release 1.58.2

For more information

If you have any questions or comments about this advisory:

Impact

Users unpacking a tarball through dbdeployer may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defences.

CVE-2020-26277 has a CVSS score of 6.1 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.58.2); upgrading removes the vulnerable code path.

Affected versions

github.com/datacharmer/dbdeployer (< 1.58.2)

Security releases

github.com/datacharmer/dbdeployer → 1.58.2 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade github.com/datacharmer/dbdeployer to 1.58.2 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2020-26277? CVE-2020-26277 is a medium-severity security vulnerability in github.com/datacharmer/dbdeployer (go), affecting versions < 1.58.2. It is fixed in 1.58.2.
  2. How severe is CVE-2020-26277? CVE-2020-26277 has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/datacharmer/dbdeployer are affected by CVE-2020-26277? github.com/datacharmer/dbdeployer (go) versions < 1.58.2 is affected.
  4. Is there a fix for CVE-2020-26277? Yes. CVE-2020-26277 is fixed in 1.58.2. Upgrade to this version or later.
  5. Is CVE-2020-26277 exploitable, and should I be worried? Whether CVE-2020-26277 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2020-26277 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2020-26277? Upgrade github.com/datacharmer/dbdeployer to 1.58.2 or later.

Stop the waste.
Protect your environment with Kodem.