The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.
The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g././evil.sh). The lack of such a library led to vulnerable code snippets being hand-crafted and shared among developer communities such as StackOverflow. NET and Go, but is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby. This page provides the most up-to-date fix statuses for the libraries and projects that were found to be exploitable or contain a vulnerable implementation.įor more information on the technical details of Zip Slip, read. It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more. Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote command execution.
0 kommentar(er)
