Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qOTQ1LWM0NHYtOTdnNs4ABAt9

MPXJ has a Potential Path Traversal Vulnerability

Impact

The patch for the historical vulnerability CVE-2020-35460 in MPXJ is incomplete as there is still a possibility that a malicious path could be constructed which would not be picked up by the original fix and allow files to be written to arbitrary locations.

Patches

The issue is addressed in MPXJ version 13.5.1

Workarounds

Do not pass zip files to MPXJ.

References

N/A

Credits

Issue report and patch provided by yyjLF and sprinkle

Permalink: https://github.com/advisories/GHSA-j945-c44v-97g6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qOTQ1LWM0NHYtOTdnNs4ABAt9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 days ago
Updated: 8 days ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-j945-c44v-97g6, CVE-2024-49771
References:

Repository: https://github.com/joniles/mpxj
Blast Radius: 17.0

Affected Packages

nuget:MPXJ.Net

Dependent packages: 0
Dependent repositories: 0
Downloads: 2,447 total
Affected Version Ranges: >= 13.0.0, < 13.5.1
Fixed in: 13.5.1
All affected versions: 13.0.0, 13.0.1, 13.0.2, 13.1.0, 13.2.0, 13.2.1, 13.2.2, 13.3.0, 13.3.1, 13.4.0, 13.4.1, 13.4.2, 13.5.0
All unaffected versions: 13.5.1

nuget:net.sf.mpxj-for-vb

Dependent packages: 0
Dependent repositories: 1
Downloads: 282,536 total
Affected Version Ranges: >= 8.3.5, < 13.5.1
Fixed in: 13.5.1
All affected versions: 8.3.5, 8.4.0, 8.5.0, 8.5.1, 9.0.0, 9.1.0, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.4.0, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.8.0, 9.8.1, 9.8.2, 9.8.3, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.6.2, 10.7.0, 10.8.0, 10.9.0, 10.9.1, 10.10.0, 10.11.0, 10.12.0, 10.13.0, 10.14.0, 10.14.1, 10.15.0, 10.16.0, 10.16.1, 10.16.2, 11.0.0, 11.1.0, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 12.0.0, 12.0.1, 12.0.2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 12.6.0, 12.7.0, 12.8.0, 12.8.1, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.10.0, 12.10.1, 12.10.2, 12.10.3, 13.0.0, 13.0.1, 13.0.2, 13.1.0, 13.2.0, 13.2.1, 13.3.0, 13.3.1, 13.4.0, 13.4.1, 13.4.2, 13.5.0
All unaffected versions: 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.1.0, 5.1.4, 5.1.5, 5.1.9, 5.1.10, 5.1.11, 5.1.12, 5.1.13, 5.1.15, 5.1.16, 5.1.17, 5.1.18, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.5.9, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.7.0, 5.7.1, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.14.0, 6.0.0, 6.1.0, 6.1.2, 6.2.0, 6.2.1, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.5.0, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.8.0, 7.8.1, 7.8.2, 7.8.3, 7.8.4, 7.9.0, 7.9.1, 7.9.2, 7.9.3, 7.9.4, 7.9.5, 7.9.7, 7.9.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.8, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 13.5.1

nuget:net.sf.mpxj-for-csharp

Dependent packages: 0
Dependent repositories: 9
Downloads: 658,829 total
Affected Version Ranges: >= 8.3.5, < 13.5.1
Fixed in: 13.5.1
All affected versions: 8.3.5, 8.4.0, 8.5.0, 8.5.1, 9.0.0, 9.1.0, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.4.0, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.8.0, 9.8.1, 9.8.2, 9.8.3, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.6.2, 10.7.0, 10.8.0, 10.9.0, 10.9.1, 10.10.0, 10.11.0, 10.12.0, 10.13.0, 10.14.0, 10.14.1, 10.15.0, 10.16.0, 10.16.1, 10.16.2, 11.0.0, 11.1.0, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 12.0.0, 12.0.1, 12.0.2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 12.6.0, 12.7.0, 12.8.0, 12.8.1, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.10.0, 12.10.1, 12.10.2, 12.10.3, 13.0.0, 13.0.1, 13.0.2, 13.1.0, 13.2.0, 13.2.1, 13.3.0, 13.3.1, 13.4.0, 13.4.1, 13.4.2, 13.5.0
All unaffected versions: 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.1.0, 5.1.4, 5.1.5, 5.1.9, 5.1.10, 5.1.11, 5.1.12, 5.1.13, 5.1.15, 5.1.16, 5.1.17, 5.1.18, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.5.9, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.7.0, 5.7.1, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.14.0, 6.0.0, 6.1.0, 6.1.2, 6.2.0, 6.2.1, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.5.0, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.8.0, 7.8.1, 7.8.2, 7.8.3, 7.8.4, 7.9.0, 7.9.1, 7.9.2, 7.9.3, 7.9.4, 7.9.5, 7.9.7, 7.9.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.8, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 13.5.1

nuget:net.sf.mpxj

Dependent packages: 0
Dependent repositories: 5
Downloads: 305,168 total
Affected Version Ranges: >= 8.3.5, < 13.5.1
Fixed in: 13.5.1
All affected versions: 8.3.5, 8.4.0, 8.5.0, 8.5.1, 9.0.0, 9.1.0, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.4.0, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.8.0, 9.8.1, 9.8.2, 9.8.3, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.6.2, 10.7.0, 10.8.0, 10.9.0, 10.9.1, 10.10.0, 10.11.0, 10.12.0, 10.13.0, 10.14.0, 10.14.1, 10.15.0, 10.16.0, 10.16.1, 10.16.2, 11.0.0, 11.1.0, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 12.0.0, 12.0.1, 12.0.2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 12.6.0, 12.7.0, 12.8.0, 12.8.1, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.10.0, 12.10.1, 12.10.2, 12.10.3, 13.0.0, 13.0.1, 13.0.2, 13.1.0, 13.2.0, 13.2.1, 13.3.0, 13.3.1, 13.4.0, 13.4.1, 13.4.2, 13.5.0
All unaffected versions: 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.1.0, 5.1.4, 5.1.5, 5.1.9, 5.1.10, 5.1.11, 5.1.12, 5.1.13, 5.1.15, 5.1.16, 5.1.17, 5.1.18, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.5.9, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.7.0, 5.7.1, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.14.0, 6.0.0, 6.1.0, 6.1.2, 6.2.0, 6.2.1, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.5.0, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.8.0, 7.8.1, 7.8.2, 7.8.3, 7.8.4, 7.9.0, 7.9.1, 7.9.2, 7.9.3, 7.9.4, 7.9.5, 7.9.7, 7.9.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.8, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 13.5.1

pypi:mpxj

Dependent packages: 0
Dependent repositories: 2
Downloads: 19,182 last month
Affected Version Ranges: >= 8.3.5, < 13.5.1
Fixed in: 13.5.1
All affected versions: 9.0.0, 9.1.0, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.4.0, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.8.0, 9.8.1, 9.8.2, 9.8.3, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.6.2, 10.7.0, 10.8.0, 10.9.0, 10.9.1, 10.10.0, 10.11.0, 10.12.0, 10.13.0, 10.14.0, 10.14.1, 10.15.0, 10.16.0, 10.16.1, 10.16.2, 11.0.0, 11.1.0, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 12.0.0, 12.0.1, 12.0.2, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 12.6.0, 12.7.0, 12.8.0, 12.8.1, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.10.0, 12.10.1, 12.10.2, 12.10.3, 13.0.0, 13.0.1, 13.0.2, 13.1.0, 13.2.0, 13.2.1, 13.3.0, 13.3.1, 13.4.0, 13.4.1, 13.4.2, 13.5.0
All unaffected versions: 13.5.1

rubygems:mpxj

Dependent packages: 0
Dependent repositories: 2
Downloads: 2,121,746 total
Affected Version Ranges: >= 8.3.5, < 13.5.1
Fixed in: 13.5.1
All affected versions: 8.3.5, 8.4.0, 8.5.0, 8.5.1, 9.0.0, 9.1.0, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.4.0, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.8.0, 9.8.1, 9.8.2, 9.8.3, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.6.2, 10.7.0, 10.8.0, 10.9.0, 10.9.1, 10.10.0, 10.11.0, 10.12.0, 10.13.0, 10.14.0, 10.14.1, 10.15.0, 10.16.0, 10.16.1, 10.16.2, 11.0.0, 11.1.0, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 12.0.0, 12.0.1, 12.0.2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 12.6.0, 12.7.0, 12.8.0, 12.8.1, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.10.0, 12.10.1, 12.10.2, 12.10.3, 13.0.0, 13.0.1, 13.0.2, 13.1.0, 13.2.0, 13.2.1, 13.3.0, 13.3.1, 13.4.0, 13.4.1, 13.5.0
All unaffected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 4.7.6, 5.0.0, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.10, 5.1.11, 5.1.12, 5.1.13, 5.1.14, 5.1.15, 5.1.16, 5.1.17, 5.1.18, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.5.9, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.7.0, 5.7.1, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.14.0, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.5.0, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.8.0, 7.8.1, 7.8.2, 7.8.3, 7.8.4, 7.9.0, 7.9.1, 7.9.2, 7.9.3, 7.9.4, 7.9.5, 7.9.6, 7.9.7, 7.9.8, 8.0.0, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 13.5.1

maven:net.sf.mpxj:mpxj

Dependent packages: 2
Dependent repositories: 45
Downloads:
Affected Version Ranges: >= 8.3.5, < 13.5.1
Fixed in: 13.5.1
All affected versions: 8.3.5, 8.4.0, 8.5.0, 8.5.1, 9.0.0, 9.1.0, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.4.0, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.8.0, 9.8.1, 9.8.2, 9.8.3, 10.0.0, 10.0.1, 10.0.3, 10.0.4, 10.0.5, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.6.2, 10.7.0, 10.8.0, 10.9.0, 10.9.1, 10.10.0, 10.11.0, 10.12.0, 10.13.0, 10.14.0, 10.14.1, 10.15.0, 10.16.0, 10.16.1, 10.16.2, 11.0.0, 11.1.0, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 12.0.0, 12.0.1, 12.0.2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 12.6.0, 12.7.0, 12.8.0, 12.8.1, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.10.0, 12.10.1, 12.10.2, 12.10.3, 13.0.0, 13.0.1, 13.0.2, 13.1.0, 13.2.0, 13.2.1, 13.3.0, 13.3.1, 13.4.0, 13.4.1, 13.4.2, 13.5.0
All unaffected versions: 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.1.0, 5.1.4, 5.1.9, 5.1.10, 5.1.11, 5.1.12, 5.1.13, 5.1.15, 5.1.16, 5.1.17, 5.1.18, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.5.9, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.7.0, 5.7.1, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.14.0, 6.0.0, 6.1.0, 6.1.2, 6.2.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.5.0, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.8.0, 7.8.1, 7.8.2, 7.8.3, 7.8.4, 7.9.0, 7.9.1, 7.9.2, 7.9.3, 7.9.4, 7.9.5, 7.9.7, 7.9.8, 8.0.0, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 13.5.1