Zip Slip vulnerability affect thousands of projects
On June 5th, Snyk’s researchers announced a vulnerability called Zip Slip. Through this vulnerability, an attacker can use a specially crafted ZIP archive to cover arbitrary files through path traversal, resulting in potential command execution.
An attacker could use a specially crafted archive file (such as ../../evil.sh) that holds the directory traversing the file name to trigger a Zip Slip vulnerability. Once the vulnerable code base extracts the contents of the archive, an attacker can decompress malicious files outside the folder it should reside on. The researchers pointed out: “The premise of the directory traversal vulnerability is that an attacker can access part of the file system outside the target folder where the file system should reside.” The attacker can then overwrite executable files and call them remotely, or wait for the system or user to invoke them, thereby implementing remote command execution on the victim’s machine.
The vulnerability affected thousands of projects, including the AWS Toolkit for Eclipse, Spring, LinkedIn’s Pinot OLAP database, Apache/Twitter Heron, Alibaba JStorm, Jenkins, and Gradle. Other cloud providers have also found some problems, and as more information is made public, Java’s lack of a central repository containing advanced archive file processing means that the Java ecosystem is particularly vulnerable, and the affected Java libraries include Java java.util.zip. Apache commons-compress, Apache Ant, ZeroTurnaround zt-zip and zip4j.
For a detailed list of impacts and CVE, please refer to:
The user first needs to search for flawed code snippets in the project to confirm whether it is affected by the vulnerability and ensure that the relevant libraries are already on the repair list.
More info, please read here.