This alert is originally published and can be viewed at www.csa.gov.sg
On 5 June 2018, Snyk Security team disclosed a critical archive extraction vulnerability dubbed Zip Slip. This vulnerability allows attackers to perform arbitrary remote command execution on affected systems. As a result, thousands of projects, including projects by HP, Amazon, Apache, Pivotal and many more, are affected.
Affected Programming Languages
Affected libraries used by programming languages include, but are not limited to:
Click here for the complete list of affected libraries used by programming languages.
The Zip Slip vulnerability is exploited using a specially crafted archive file containing extra directory paths designed to traverse up to the root directory as the file is extracted. The attackers can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on a victim's machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both users’ machines and servers. It affects numerous archive formats such as zip, tar, jar, war, cpio, apk, rar and 7z.
Software developers are advised to: