CVE-2023-39136

An unhandled edge case in the component _sanitizedPath of ZipArchive v2.5.4 allows attackers to cause a Denial of Service (DoS) via a crafted zip file.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://blog.ostorlab.co/zip-packages-exploitation.html	Exploit Third Party Advisory
https://github.com/ZipArchive/ZipArchive/issues/680	Exploit Issue Tracking Patch Vendor Advisory
https://ostorlab.co/vulndb/advisory/OVE-2023-2	Exploit Third Party Advisory
https://security.snyk.io/research/zip-slip-vulnerability	Third Party Advisory
https://blog.ostorlab.co/zip-packages-exploitation.html	Exploit Third Party Advisory
https://github.com/ZipArchive/ZipArchive/issues/680	Exploit Issue Tracking Patch Vendor Advisory
https://ostorlab.co/vulndb/advisory/OVE-2023-2	Exploit Third Party Advisory
https://security.snyk.io/research/zip-slip-vulnerability	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ziparchive_project:ziparchive:2.5.4:*:*:*:*:*:*:*

History

21 Nov 2024, 08:14

Type	Values Removed	Values Added
References	~~() https://blog.ostorlab.co/zip-packages-exploitation.html - Exploit, Third Party Advisory~~	() https://blog.ostorlab.co/zip-packages-exploitation.html - Exploit, Third Party Advisory
References	~~() https://github.com/ZipArchive/ZipArchive/issues/680 - Exploit, Issue Tracking, Patch, Vendor Advisory~~	() https://github.com/ZipArchive/ZipArchive/issues/680 - Exploit, Issue Tracking, Patch, Vendor Advisory
References	~~() https://ostorlab.co/vulndb/advisory/OVE-2023-2 - Exploit, Third Party Advisory~~	() https://ostorlab.co/vulndb/advisory/OVE-2023-2 - Exploit, Third Party Advisory
References	~~() https://security.snyk.io/research/zip-slip-vulnerability - Third Party Advisory~~	() https://security.snyk.io/research/zip-slip-vulnerability - Third Party Advisory

01 Oct 2024, 21:35

Type	Values Removed	Values Added
CWE		CWE-703

06 Sep 2023, 12:41

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CPE		cpe:2.3:a:ziparchive_project:ziparchive:2.5.4:::::::*
References	~~(MISC) https://github.com/ZipArchive/ZipArchive/issues/680 -~~	(MISC) https://github.com/ZipArchive/ZipArchive/issues/680 - Exploit, Issue Tracking, Patch, Vendor Advisory
References	~~(MISC) https://security.snyk.io/research/zip-slip-vulnerability -~~	(MISC) https://security.snyk.io/research/zip-slip-vulnerability - Third Party Advisory
References	~~(MISC) https://blog.ostorlab.co/zip-packages-exploitation.html -~~	(MISC) https://blog.ostorlab.co/zip-packages-exploitation.html - Exploit, Third Party Advisory
References	~~(MISC) https://ostorlab.co/vulndb/advisory/OVE-2023-2 -~~	(MISC) https://ostorlab.co/vulndb/advisory/OVE-2023-2 - Exploit, Third Party Advisory
First Time		Ziparchive Project ziparchive Ziparchive Project
CWE		NVD-CWE-noinfo

30 Aug 2023, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-30 22:15

Updated : 2024-11-21 08:14

NVD link : CVE-2023-39136

Mitre link : CVE-2023-39136

CVE.ORG link : CVE-2023-39136

JSON object : View

Products Affected

ziparchive_project

ziparchive

CWE

NVD-CWE-noinfo CWE-703

Improper Check or Handling of Exceptional Conditions

5.5 /10