CVE-2021-32840

CVE-2021-32840 affects SharpZipLib (aka #ziplib). Before version 1.3.3, a TAR file entry "../evil.txt" could be extracted into the parent directory of a destination folder, enabling arbitrary file write and potentially code execution. The vulnerability is patched in version 1.3.3. In the provided...

CVE-2018-1002208

The CVE-2018-1002208 entry concerns SharpZipLib before 1.0 RC1, which is vulnerable to a directory traversal (Zip-Slip). An attacker can write to arbitrary files via a ../ in a Zip entry that is mishandled during extraction. This is supported by multiple connected sources referencing SharpZipLib’...

CVE-2021-32841

CVE-2021-32841 affects SharpZipLib (aka #ziplib). In versions 1.3.0 through 1.3.2, a check to ensure the destination file is under the destination directory could be bypassed if destDir was not slash-terminated (e.g., “/home/user/dir”). This could allow creating a file whose name begins with the ...

CVE-2021-32842

CVE-2021-32842 affects SharpZipLib (aka #ziplib). The issue is a path traversal flaw where a non-slash-terminated _baseDirectory allows creating a file whose name begins with the destination directory (e.g., /home/user/dir.sh), enabling arbitrary file creation. Versions 1.0.0 through 1.3.2 are af...