EUVD-2022-1241

Malicious code in bioql PyPI...

@webiny/api-page-builder (>=0.0.0-mt-1 <=5.21.0-beta.0), @webiny/api-page-builder-import-export (>=0.0.0-mt-1 <=5.21.0-beta.0) +5 more potentially affected by CVE-2021-23484 via zip-local (=0.3.4)

zip-local NPM version =0.3.4 is affected by a known vulnerability. The following packages have a transitive dependency on zip-local and may be impacted: - @webiny/api-page-builder =0.0.0-mt-1, =0.0.0-mt-1, =0.0.0-mt-1, =0.0.0-mt-1, =0.0.0-mt-1, =0.1.0, =0.0.2, =0.0.7 Source cves: CVE-2021-23484...

Arbitrary File Write

zip-local is vulnerable to arbitrary file write aka zip-slip vulnerability. The unsynchronously unzipping leads to extraction of a malicious file outside the intended extraction directory...

PT-2022-9401 · Zip-Local · Zip-Local

Name of the Vulnerable Software and Affected Versions: zip-local versions prior to 0.3.5 Description: The issue allows for Arbitrary File Write via Archive Extraction, also known as Zip Slip, which can lead to the extraction of a crafted file outside the intended extraction directory. This can...

@webiny/api-page-builder (>=0.0.0-mt-1 <=5.21.0-beta.0), @webiny/api-page-builder-import-export (>=0.0.0-mt-1 <=5.21.0-beta.0) +5 more potentially affected by CVE-2021-23484 via zip-local (=0.3.4)

zip-local NPM version =0.3.4 is affected by a known vulnerability. The following packages have a transitive dependency on zip-local and may be impacted: - @webiny/api-page-builder =0.0.0-mt-1, =0.0.0-mt-1, =0.0.0-mt-1, =0.0.0-mt-1, =0.0.0-mt-1, =0.1.0, =0.0.2, =0.0.7 Source cves: CVE-2021-23484...