UpendoVentures/Upendo-DNN-Simple-Auth-Provider

ICSharpCode.SharpZipLib-0.86.0.518.dll: 1 vulnerabilities (highest severity is: 5.5)

Opened this issue · 0 comments

mend-bolt-for-github commented
Vulnerable Library - ICSharpCode.SharpZipLib-0.86.0.518.dll

SharpZipLib for .NET Framework 2.0

Library home page: https://api.nuget.org/packages/icsharpcode.sharpziplib.0.86.0.518.nupkg

Path to vulnerable library: /References/DNN/09.08.00/ICSharpCode.SharpZipLib.dll

Found in HEAD commit: 2db70b6cdbcc474cf1a7e2a73f7d20f87c3af815

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (ICSharpCode.SharpZipLib version) Remediation Possible**
CVE-2018-1002208 Medium 5.5 ICSharpCode.SharpZipLib-0.86.0.518.dll Direct SharpZipLib - 1.0.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-1002208

Vulnerable Library - ICSharpCode.SharpZipLib-0.86.0.518.dll

SharpZipLib for .NET Framework 2.0

Library home page: https://api.nuget.org/packages/icsharpcode.sharpziplib.0.86.0.518.nupkg

Path to vulnerable library: /References/DNN/09.08.00/ICSharpCode.SharpZipLib.dll

Dependency Hierarchy:

  • ICSharpCode.SharpZipLib-0.86.0.518.dll (Vulnerable Library)

Found in HEAD commit: 2db70b6cdbcc474cf1a7e2a73f7d20f87c3af815

Found in base branch: dev

Vulnerability Details

SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Publish Date: 2018-07-25

URL: CVE-2018-1002208

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002208

Release Date: 2018-07-25

Fix Resolution: SharpZipLib - 1.0.0

Step up your Open Source Security Game with Mend here