/zip-slip-vulnerability

Zip Slip Vulnerability (Arbitrary file write through archive extraction)

Zip Slip

Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote command execution. It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more. This page provides the most up-to-date fix statuses for the libraries and projects that were found to be exploitable or contain a vulnerable implementation.

For more information on the technical details of Zip Slip, read http://snyk.io/research/zip-slip-vulnerability.

The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand-crafted and shared among developer communities such as StackOverflow.

The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.

Here is a vulnerable code example showing a ZipEntry path being concatenated to a destination directory without any path validation. Code similar to this has been found in many repositories across many ecosystems, including libraries which thousands of applications depend on.

   Enumeration<ZipEntry> entries = zip.getEntries();
   while (entries.hasMoreElements()) {
      ZipEntry e = entries.nextElement();
      File f = new File(destinationDir, e.getName());
      InputStream input = zip.getInputStream(e);
      IOUtils.copy(input, write(f));
   }

If you find a library or project that contains similar vulnerable code, we ask for your contribution to this repository to provide the community with the most up to date information about the Zip Slip vulnerability. To contribute, please refer to our CONTRIBUTE.md file.

Affected Libraries

Many of the following affected libraries exist because their ecosystems lack high level APIs providing the basic archive management capabilities. This results in vulnerable code being shared and reused. The following table contains the list of vulnerable libraries we found during private disclosure of Zip Slip which we aim to keep up to date, with community support, going forward as more vulnerable libraries are discovered. Some libraries that do not provide the high-level API often result in vulnerable implementations also, either through people copying and pasting vulnerable private code, or writing their own vulnerable snippets.

Vendor Product Language Confirmed vulnerable Fixed Version CVE Fixed
npm library unzipper JavaScript YES 0.8.13 CVE-2018-1002203 17/4/2018
npm library adm-zip JavaScript YES 0.4.9 CVE-2018-1002204 23/4/2018
Java library codehaus/plexus-archiver Java YES 3.6.0 CVE-2018-1002200 6/5/2018
Java library zeroturnaround/zt-zip Java YES 1.13 CVE-2018-1002201 26/4/2018
Java library zip4j Java YES CVE-2018-1002202
.NET library DotNetZip.Semverd .NET YES 1.11.0 CVE-2018-1002205 7/5/2018
.NET library SharpCompress .NET YES 0.21.0 CVE-2018-1002206 2/5/2018
.NET library mholt/archiver Go YES e4ef56d4 CVE-2018-1002207 17/4/2018
Oracle java.util.zip Java * No High Level API Documentation Fix N/A
Apache commons-compress Java * No High Level API Documentation Fix N/A 23/4/2018
.NET library SharpZipLib .NET * No High Level API N/A
Ruby gem zip-ruby Ruby * No High Level API N/A
Ruby gem rubyzip Ruby * No High Level API N/A
Ruby gem zipruby Ruby * No High Level API N/A
Go library archive Go * No High Level API N/A

Projects Affected and Fixed

The following list of projects contain vulnerable code. Please add to this list as you find projects that are vulnerable to Zip Slip, or if you have further information about a project fix status.

Vendor Product Fixed date Fixed version CVE Vulnerable Code
Apache Storm Storm 2/5/2018 1.0.7 CVE-2018-8008 #1 #2 #3 #4
Apache Hadoop Hadoop 23/5/2018 CVE-2018-8009
Apache Hive Hive CVE-2018-8009
Apache Maven
Apache Ant 21/4/2018 1.9.12
Pivotal spring-integration-zip 3/5/2018 1.0.1 CVE-2018-1261
Pivotal spring-integration-zip 10/5/2018 1.0.2 CVE-2018-1263
HP Fortify Cloud Scan Jenkins Plugin 27/4/2018 #1
OWASP DependencyCheck 7/5/2018
Amazon AWS Toolkit for Eclipse 31/5/2018
SonarCube SonarCube 4/5/2018 #1
Cinchapi Concourse 30/5/2018 #1
Orient Technologies OrientDB 31/5/2018 #1 #2
FenixEdu Academic 30/5/2018 #1
Lucee Lucee 5/6/2018 5.2.7, 5.2.8.47 #1

Defensively fixed but deemed not exploitable

Some projects were confirmed by the project maintainers that their implementation code was not vulnerable to Zip Slip. However they decided to remove or fix their implementation so that in the future, the snippets could not be copied and become vulnerable elsewhere.

Vendor Product Vulnerable Code Removed Vulnerable Code
Apache Kylin 24/4/2018 #1
Apache NiFi 24/4/2018 #1
Apache Geode 20/4/2018
Jenkins Jenkins CI 5/5/2018 #1
Elastic ElasticSearch 10/5/2018 #1
LinkedIn Pinot 22/5/2018 #1
AnkiDroid Anki-Droid 31/5/2018 #1
ata4 bspsrc 30/5/2018 #1
eirslett frontend-maven-plugin 30/5/2018 #1 #2

Deemed not exploitable by the maintainer (vulnerable implementation remains)

The final list of projects are those with snippets of code that still have a vulnerable implementation, but are not exploitable. It is believed that it would not be possible to attack these projects in such a way that could lead to a malicious outcome, but the vulnerable pattern of code still exists within the code base. We strongly encourage such projects to fix the implementation both to prevent its use through other functionality, or use in other projects that copy paste snippets.

Vendor Product Vulnerable Code
JetBrains Intellij-community #1
Apache Apex #1
Apache Zeppelin #1
Apache Reef #1
Apache BookKeeper #1
Apache Pulsar #1
Apache Heron #1
Apache Gobblin #1
Apache Gobblin #1
Apache SystemML #1
Gradle Gradle #1
Gradle Gradle #1
Gradle Gradle #1
plasma-umass doppio #1
streamsets DataCollector #1

For more information on Zip Slip, go to http://snyk.io/research/zip-slip-vulnerability.