[COMPRESS-495] Zip Slip in SevenZ CLI - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.20
Component/s: Archivers
Labels:
- 7zip

Description

The SevenZ decompressor doesn't check that the file to be extracted is escaping the current directory or not.

Vulnerable code: https://github.com/apache/commons-compress/blob/26b78cecfc1ca0e5daf03109b2c441f960bde678/src/main/java/org/apache/commons/compress/archivers/sevenz/CLI.java#L67

In another place in the repository, there is a safe implementation that was added as an example when the Zip Slip vulnerability was originally published: https://github.com/apache/commons-compress/blob/1a14a23a05f7104e3d41a25a0f7e78ae1556285e/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java#L308

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Gabor Molnar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 07/Oct/19 11:54

Updated:: 12/Oct/19 10:30

Resolved:: 12/Oct/19 10:30