Improper Limitation of a Pathname to a Restricted Directory in SharpZipLib

2022-05-1301:35:03

Google

osv.dev

0.002 Low

EPSS

Percentile

51.6%

JSON

SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a …/ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as ‘Zip-Slip’.

CPENameOperatorVersion
sharpziplibeq1.0.0-alpha2
sharpziplibeq0.86.0
sharpziplibeq1.0.0-alpha1

Name	Operator	Version
sharpziplib	eq	1.0.0-alpha2
sharpziplib	eq	0.86.0
sharpziplib	eq	1.0.0-alpha1

References

github.com/icsharpcode/SharpZipLib/issues/232

github.com/icsharpcode/SharpZipLib/wiki/Release-1.0

github.com/snyk/zip-slip-vulnerability

nvd.nist.gov/vuln/detail/CVE-2018-1002208

snyk.io/research/zip-slip-vulnerability

snyk.io/vuln/SNYK-DOTNET-SHARPZIPLIB-60247

0.002 Low

EPSS

Percentile

51.6%

JSON

Related for OSV:GHSA-CQJ4-M2PC-V9M5