Описание
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
A flaw was found in Golang. The ZIP implementation of the Go language archive/zip library behaves differently than the rest of the ZIP file format implementations. When handling ZIP files with a corrupted central directory record, the library skips over the invalid record and processes the next valid one. This flaw allows a malicious user to access hidden information or files inside maliciously crafted ZIP files.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Not affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Not affected | ||
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8 | Will not fix | ||
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8 | Will not fix | ||
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator | Will not fix | ||
| Migration Toolkit for Applications 7 | mta/mta-analyzer-lsp-rhel9 | Will not fix | ||
| Multicluster Engine for Kubernetes | multicluster-engine/agent-service-rhel8 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/cluster-api-provider-azure-rhel8 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/hive-rhel8 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/hypershift-cli-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
Mishandling of corrupt central directory record in archive/zip
The archive/zip package's handling of certain types of invalid zip fil ...
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
EPSS
5.5 Medium
CVSS3