Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jMmNjLTM1NjktNmpoMs4AA1lS
Path traversal in ZIPFoundation
An issue in ZIPFoundation v0.9.16 allows attackers to execute a path traversal via extracting a crafted zip file.
Permalink: https://github.com/advisories/GHSA-c2cc-3569-6jh2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jMmNjLTM1NjktNmpoMs4AA1lS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 8 months ago
Updated: 3 months ago
CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-c2cc-3569-6jh2, CVE-2023-39138
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-39138
- https://github.com/weichsel/ZIPFoundation/issues/282
- https://blog.ostorlab.co/zip-packages-exploitation.html
- https://ostorlab.co/vulndb/advisory/OVE-2023-4
- https://ostorlab.co/vulndb/advisory/OVE-2023-6
- https://github.com/weichsel/ZIPFoundation/releases/tag/0.9.18
- https://github.com/advisories/GHSA-c2cc-3569-6jh2
Blast Radius: 16.7
Affected Packages
swift:github.com/weichsel/ZIPFoundation
Dependent packages: 8Dependent repositories: 137
Downloads:
Affected Version Ranges: <= 0.9.17
Fixed in: 0.9.18
All affected versions: 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 0.9.17
All unaffected versions: 0.9.18