Skip to content

zip4j-1.3.2.jar: 2 vulnerabilities (highest severity is: 6.5) #9

New issue
New issue
Open
Open
zip4j-1.3.2.jar: 2 vulnerabilities (highest severity is: 6.5)#9
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Mar 1, 2022
Vulnerable Library - zip4j-1.3.2.jar

An open source java library to handle zip files

Library home page: http://www.lingala.net/zip4j/

Path to dependency file: /build.gradle

Path to vulnerable library: /152_YOPGFG/downloadResource_HGXZPV/20200920214212/zip4j-1.3.2.jar,/20200920214152_YOPGFG/downloadResource_HGXZPV/20200920214212/zip4j-1.3.2.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2018-1002202 Medium 6.5 zip4j-1.3.2.jar Direct 1.3.3
CVE-2022-24615 Medium 5.5 zip4j-1.3.2.jar Direct net.lingala.zip4j:zip4j:2.9.0

Details

CVE-2018-1002202

Vulnerable Library - zip4j-1.3.2.jar

An open source java library to handle zip files

Library home page: http://www.lingala.net/zip4j/

Path to dependency file: /build.gradle

Path to vulnerable library: /152_YOPGFG/downloadResource_HGXZPV/20200920214212/zip4j-1.3.2.jar,/20200920214152_YOPGFG/downloadResource_HGXZPV/20200920214212/zip4j-1.3.2.jar

Dependency Hierarchy:

  • zip4j-1.3.2.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Publish Date: 2018-07-25

URL: CVE-2018-1002202

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002202

Release Date: 2018-07-25

Fix Resolution: 1.3.3

Step up your Open Source Security Game with WhiteSource here

CVE-2022-24615

Vulnerable Library - zip4j-1.3.2.jar

An open source java library to handle zip files

Library home page: http://www.lingala.net/zip4j/

Path to dependency file: /build.gradle

Path to vulnerable library: /152_YOPGFG/downloadResource_HGXZPV/20200920214212/zip4j-1.3.2.jar,/20200920214152_YOPGFG/downloadResource_HGXZPV/20200920214212/zip4j-1.3.2.jar

Dependency Hierarchy:

  • zip4j-1.3.2.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

zip4j up to 2.9.0 can throw various uncaught exceptions while parsing a specially crafted ZIP file, which could result in an application crash. This could be used to mount a denial of service attack against services that use zip4j library.

Publish Date: 2022-02-24

URL: CVE-2022-24615

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24615

Release Date: 2022-02-24

Fix Resolution: net.lingala.zip4j:zip4j:2.9.0

Step up your Open Source Security Game with WhiteSource here

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions