CVE-2021-22114

CWE-22 — Path Traversal4 documents4 sources

Severity

5.3MEDIUM

EPSS

0.4%

top 40.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Integration ZIP

Timeline

PublishedMar 1

Latest updateMar 18

Description

Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDvmware/spring_integration_zip< 1.0.4

▶Mavenorg.springframework.integration:spring-integration-zip< 1.0.4

▶CVEListV5spring_integration_zip_extensionspring-integration-zip versions prior to 1.0.4

🔴Vulnerability Details

GHSA

Path Traversal in Spring-integration-zip↗2022-03-18

▶

OSV

Path Traversal in Spring-integration-zip↗2022-03-18

▶

CVEList

CVE-2021-22114: Addresses partial fix in CVE-2018-1263↗2021-03-01

▶