Описание
adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Отчет
While Red Hat Mobile Application Platform (RHMAP) does include the vulnerable library, it does not use the vulnerable methods extract* fixed in the library, [1]. RHMAP upgrade the vulnerable library in a future version. Red Hat Quay includes adm-zip as a dependency of protractor which is only used at build time. The vulnerable library is not used at runtime meaning this has a low impact on Red Hat Quay. [1] https://github.com/cthackers/adm-zip/commit/6f4dfeb9a2166e93207443879988f97d88a37cde
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Mobile Application Platform 4 | nodejs-adm-zip | Affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Уязвимость функции extractDir библиотеки Node.js для работы с zip-файлами Adm-zip, позволяющая нарушителю выполнить произвольный код
EPSS
5.3 Medium
CVSS3