Описание
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
A flaw was found in Golang. The ZIP implementation of the Go language archive/zip library behaves differently than the rest of the ZIP file format implementations. When handling ZIP files with a corrupted central directory record, the library skips over the invalid record and processes the next valid one. This flaw allows a malicious user to access hidden information or files inside maliciously crafted ZIP files.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-20: Improper Input Validation vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Red Hat enforces the principle of least functionality, ensuring that only essential features, services, and ports are enabled. This minimizes the number of components that could be affected by input validation vulnerabilities. Security testing and evaluation standards are implemented within the environment to rigorously test input validation mechanisms during the development lifecycle, while static code analysis identifies potential input validation vulnerabilities by default. Process isolation ensures that processes handling potentially malicious or unvalidated inputs run in isolated environments by separating execution domains for each process. Malicious code protections, such as IPS/IDS and antimalware solutions, help detect and mitigate malicious payloads stemming from input validation vulnerabilities. Finally, robust input validation and error-handling mechanisms ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks further.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Not affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Not affected | ||
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8 | Will not fix | ||
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8 | Will not fix | ||
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8-operator | Will not fix | ||
| Migration Toolkit for Applications 7 | mta/mta-analyzer-lsp-rhel9 | Will not fix | ||
| Multicluster Engine for Kubernetes | multicluster-engine/agent-service-rhel8 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/cluster-api-provider-azure-rhel8 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/hive-rhel8 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/hypershift-cli-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
The archive/zip package's handling of certain types of invalid zip fil ...
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
Уязвимость пакета archive-zip языка программирования Golang, позволяющая нарушителю создать произвольный zip-файл
EPSS
7.5 High
CVSS3