Lucene search

GitHub Advisory DatabaseGHSA-JXCC-G75X-QGW9

HistoryJun 08, 2021 - 6:47 p.m.

Calipso Arbitrary File Write via Archive Extraction (Zip Slip)

2021-06-0818:47:18

CWE-29

CWE-668

GitHub Advisory Database

github.com

calipso

arbitrary file write

archive extraction

zip slip

malicious module

file overwrite

software security

CVSS2

3.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:P/A:P

CVSS3

7.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:F/RL:U/RC:C

EPSS

0.001

Percentile

16.0%

JSON

This affects all versions of package calipso. It is possible for a malicious module to overwrite files on an arbitrary file system through the module install functionality.

Affected configurations

Vulners

Node

calipso_projectcalipsoRange≤0.3.54

VendorProductVersionCPE
calipso_projectcalipso*cpe:2.3:a:calipso_project:calipso:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
calipso_project	calipso	*	cpe:2.3:a:calipso_project:calipso::::::::

References

github.com/advisories/GHSA-jxcc-g75x-qgw9

github.com/cliftonc/calipso

nvd.nist.gov/vuln/detail/CVE-2021-23391

snyk.io/vuln/SNYK-JS-CALIPSO-1300555

CVSS2

3.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:P/A:P

CVSS3

7.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:F/RL:U/RC:C

EPSS

0.001

Percentile

16.0%

JSON

Related for GHSA-JXCC-G75X-QGW9