GHSA-vw83-h3mq-3qwj

Source

https://github.com/advisories/GHSA-vw83-h3mq-3qwj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-vw83-h3mq-3qwj/GHSA-vw83-h3mq-3qwj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vw83-h3mq-3qwj

Aliases

CVE-2021-22114

Published

2022-03-18T17:40:44Z

Modified

2023-11-08T04:04:53.949500Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Path Traversal in Spring-integration-zip

Details

Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

Database specific

{
    "nvd_published_at": "2021-03-01T18:15:00Z",
    "github_reviewed_at": "2021-03-22T20:54:58Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Maven / org.springframework.integration:spring-integration-zip

Package

Name: org.springframework.integration:spring-integration-zip; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.integration/spring-integration-zip

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.4

Affected versions

1.*

1.0.0.RELEASE

1.0.1.RELEASE

1.0.2.RELEASE

1.0.3.RELEASE