Arbitrary File Write via Archive Extraction in unzipper

2018-07-27T17:06:50
ID GHSA-884W-698F-927F
Type github
Reporter GitHub Advisory Database
Modified 2020-08-31T18:32:33

Description

Versions of unzipper before 0.8.13 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames (../../file.txt for example).

Recommendation

Update to version 0.3.18 or later.