CVE-2020-35460

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-35460

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-35460.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-35460

Aliases

GHSA-p9j6-4pjr-gp48

Published

2020-12-14T23:15:12.267Z

Modified

2025-11-20T11:26:18.710084Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations.

References

Affected packages

Git / github.com/joniles/mpxj

Affected ranges

Type: GIT
Repo: https://github.com/joniles/mpxj
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8eaf4225048ea5ba7e59ef4556dab2098fcc4a1d

Affected versions

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.0.3

v7.1.0

v7.2.0

v7.2.1

v7.3.0

v7.4.0

v7.4.1

v7.4.2

v7.4.3

v7.4.4

v7.5.0

v7.6.0

v7.6.1

v7.6.2

v7.6.3

v7.7.0

v7.7.1

v7.8.0

v7.8.1

v7.8.2

v7.8.3

v7.8.4

v7.9.0

v7.9.1

v7.9.2

v7.9.3

v7.9.4

v7.9.5

v7.9.6

v7.9.7

v7.9.8

v8.*

v8.0.0

v8.0.2

v8.0.3

v8.0.4

v8.0.5

v8.0.6

v8.0.7

v8.0.8

v8.1.0

v8.1.1

v8.1.2

v8.1.3

v8.1.4

v8.2.0

v8.3.0

v8.3.1

v8.3.2

v8.3.3

v8.3.4

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "target": {
            "file": "src/main/java/net/sf/mpxj/common/InputStreamHelper.java"
        },
        "deprecated": false,
        "source": "https://github.com/joniles/mpxj/commit/8eaf4225048ea5ba7e59ef4556dab2098fcc4a1d",
        "id": "CVE-2020-35460-a3986cba",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "123141927248824563031288708808345287231",
                "13077034134516116026565103736909882680",
                "85603711740978062230026111542537678213",
                "320194757104729912285574117987871137189",
                "218070984230557849804256790131110018830",
                "32725309723900027678955807783420864353",
                "17620986167085260341268408789377049424",
                "144262615154991053477131960923925827950"
            ]
        }
    },
    {
        "signature_version": "v1",
        "target": {
            "file": "src/main/java/net/sf/mpxj/common/InputStreamHelper.java",
            "function": "processZipStream"
        },
        "deprecated": false,
        "source": "https://github.com/joniles/mpxj/commit/8eaf4225048ea5ba7e59ef4556dab2098fcc4a1d",
        "id": "CVE-2020-35460-e6f4b936",
        "signature_type": "Function",
        "digest": {
            "function_hash": "213972228014475642471676651904999913297",
            "length": 588.0
        }
    }
]