SNOW-582927: zip4j-1.3.2.jar: 2 vulnerabilities (highest severity is: 6.5) - autoclosed
Closed this issue · 1 comments
Vulnerable Library - zip4j-1.3.2.jar
An open source java library to handle zip files
Library home page: http://www.lingala.net/zip4j/
Path to dependency file: /deps/aws-sdk-cpp-1.3.50/code-generation/generator/pom.xml
Path to vulnerable library: /canner/.m2/repository/net/lingala/zip4j/zip4j/1.3.2/zip4j-1.3.2.jar
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2018-1002202 |  Medium |
6.5 | zip4j-1.3.2.jar | Direct | 1.3.3 | ✅ |
| CVE-2022-24615 | Medium |
5.5 | zip4j-1.3.2.jar | Direct | net.lingala.zip4j:zip4j:2.9.0 | ✅ |
Details
CVE-2018-1002202
Vulnerable Library - zip4j-1.3.2.jar
An open source java library to handle zip files
Library home page: http://www.lingala.net/zip4j/
Path to dependency file: /deps/aws-sdk-cpp-1.3.50/code-generation/generator/pom.xml
Path to vulnerable library: /canner/.m2/repository/net/lingala/zip4j/zip4j/1.3.2/zip4j-1.3.2.jar
Dependency Hierarchy:
- ❌ zip4j-1.3.2.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Publish Date: 2018-07-25
URL: CVE-2018-1002202
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002202
Release Date: 2018-07-25
Fix Resolution: 1.3.3
⛑️ Automatic Remediation is available for this issue
CVE-2022-24615
Vulnerable Library - zip4j-1.3.2.jar
An open source java library to handle zip files
Library home page: http://www.lingala.net/zip4j/
Path to dependency file: /deps/aws-sdk-cpp-1.3.50/code-generation/generator/pom.xml
Path to vulnerable library: /canner/.m2/repository/net/lingala/zip4j/zip4j/1.3.2/zip4j-1.3.2.jar
Dependency Hierarchy:
- ❌ zip4j-1.3.2.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
zip4j up to v2.10.0 can throw various uncaught exceptions while parsing a specially crafted ZIP file, which could result in an application crash. This could be used to mount a denial of service attack against services that use zip4j library.
Publish Date: 2022-02-24
URL: CVE-2022-24615
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24615
Release Date: 2022-02-24
Fix Resolution: net.lingala.zip4j:zip4j:2.9.0
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.