Описание
Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary file write vulnerability, which can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z) that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
Ссылки
- Third Party AdvisoryVDB Entry
- Vendor Advisory
- Third Party AdvisoryVDB Entry
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.0.1 (исключая)
cpe:2.3:a:vmware:spring_integration_zip:*:*:*:*:*:*:*:*
EPSS
Процентиль: 57%
0.00351
Низкий
4.7 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-22
Связанные уязвимости
CVSS3: 4.7
github
больше 7 лет назад
Path traversal in org.springframework.integration:spring-integration-zip
EPSS
Процентиль: 57%
0.00351
Низкий
4.7 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-22