GHSA-jxr7-mqhw-9p98
K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression
Details
#### Summary
A path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names (e.g., `../../../../etc/password`) can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot.
#### Mitigations
* Enable golang's built-in [insecure path protections](https://pkg.go.dev/archive/zip#NewReader) when restoring snapshots by setting the`GODEBUG` environment variable: ```bash GODEBUG=zipinsecurepath=0 k3s server --cluster-reset --cluster-reset-restore-path=/path/to/snapshot.zip ``` * Manually extract the snapshot from the zip archive before restoring it. If the snapshot to be restored does not end with `.zip`, the vulnerable extraction code will not be executed.
#### Additional Notes
Administrators should be aware of the cautions noted in the "Security" section of the documentation on [Restoring Snapshots](https://docs.k3s.io/cli/etcd-snapshot#security).
Are you affected?
Enter the version of the package you're using.
Affected packages
1.35.0-rc1 Fixed in: 1.35.3 go get github.com/k3s-io/k3s@v1.35.3 1.34.0-rc1 Fixed in: 1.34.6 go get github.com/k3s-io/k3s@v1.34.6 0 Fixed in: 1.33.10 go get github.com/k3s-io/k3s@v1.33.10