CVE-2021-32840

Опубликовано: 26 янв. 2022

Источник: nvd

CVSS3: 7.3

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.

Ссылки

https://github.com/icsharpcode/SharpZipLib/commit/a0e96de70b5264f4c919b09253b1522bc7a221cc
Patch
Third Party Advisory
https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3
Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/
Exploit
Third Party Advisory
https://github.com/icsharpcode/SharpZipLib/commit/a0e96de70b5264f4c919b09253b1522bc7a221cc
Patch
Third Party Advisory
https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3
Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sharpziplib_project:sharpziplib:*:*:*:*:*:*:*:*

Версия до 1.3.3 (исключая)

EPSS

Процентиль: 81%

0.01545

Низкий

7.3 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-22

Связанные уязвимости

CVE-2021-32840

CVSS3: 7.3

ubuntu

около 4 лет назад

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry `../evil.txt` may be extracted in the parent directory of `destFolder`. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.

CVE-2021-32840

CVSS3: 7.3

debian

около 4 лет назад

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior ...

GHSA-m22m-h4rf-pwq3

CVSS3: 7.3

github

около 4 лет назад

Path Traversal in SharpZipLib

EPSS

Процентиль: 81%

0.01545

Низкий

7.3 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-22