CVE-2020-29529

HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt