Lucene search

GoogleOSV:GHSA-36FH-84J7-CV5H

HistoryJan 29, 2023 - 6:30 a.m.

JSZip contains Path Traversal via loadAsync

2023-01-2906:30:52

Google

osv.dev

jszip

path traversal

loadasync

directory traversal

zip archive

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

0.006 Low

EPSS

Percentile

79.3%

JSON

loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.

CPENameOperatorVersion
jsziplt3.8.0

CPE	Name	Operator	Version
	jszip	lt	3.8.0

References

exchange.xforce.ibmcloud.com/vulnerabilities/244499

github.com/Stuk/jszip

github.com/Stuk/jszip/commit/2edab366119c9ee948357c02f1206c28566cdf15

github.com/Stuk/jszip/compare/v3.7.1...v3.8.0

nvd.nist.gov/vuln/detail/CVE-2022-48285

security.netapp.com/advisory/ntap-20240621-0005

www.mend.io/vulnerability-database/WS-2023-0004

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

0.006 Low

EPSS

Percentile

79.3%

JSON

Related for OSV:GHSA-36FH-84J7-CV5H