|CERT-In Vulnerability Note
Zip Slip Vulnerability
Original Issue Date:June 11, 2018
Severity Rating: HIGH
- Archive formats including tar, jar, war, cpio, apk, rar and 7z.
- Affected libraries include npm library, Java library, .NET library, Oracle, Apache, Ruby gem, Go library.
Multiple vulnerabilities have been reported in various archive formats. A remote attacker could exploit this vulnerability to overwrite arbitrary files on the vulnerable system and potentially execute arbitrary code.
This vulnerability exists due to the way archive extraction is implemented. A remote attacker could exploit this vulnerability by using a specially crafted archive that holds directory traversal filenames.
Successful exploitation of this vulnerability could allow attacker to gain access to parts of the file system and then overwrite executable files remotely.
- Do not unzip untrusted zip files
- Upgrade to latest version as mentioned by the respective vendors
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003