Security Bulletin: JSZip publicly disclosed vulnerability affects IBM Safer Payments (CVE-2022-48285)

Summary

JSZip is used by IBM Safer Payments as part of the user interface. This vulnerability has been addressed.

Vulnerability Details

CVEID:CVE-2022-48285
**DESCRIPTION:**JSZip could allow a remote attacker to traverse directories on the system, caused by the failure to sanitize filenames when files are loaded with loadAsync, which makes the library vulnerable to a Zip Slip attack. By extracting files from a specially crafted archive, an attacker could gain access to parts of the file system outside of the target folder, overwrite the executable files and execute arbitrary commands on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244499 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s): IBM Safer Payments

Version(s): 6.1.1.01 and above, 6.2.2.01 and above, 6.3.1.01 - 6.3.1.03, 6.4.2.00 - 6.4.2.02 and 6.5.0.00

Remediation/Fixes

Update IBM Safer Payments to version 6.3.1.04, 6.4.2.03, 6.5.0.01 or higher.

Refer to the IBM Safer Payments documentation to download the updates.

Workarounds and Mitigations

None