Vulnerability Description
The package juce-framework/juce before 6.1.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the ZipFile::uncompressEntry function in juce_ZipFile.cpp. This vulnerability is triggered when the archive is extracted upon calling uncompressTo() on a ZipFile object.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Juce | Juce | < 6.1.5 |
Related Weaknesses (CWE)
References
- https://github.com/juce-framework/JUCE/commit/2e874e80cba0152201aff6a4d0dc407997PatchThird Party Advisory
- https://snyk.io/research/zip-slip-vulnerabilityExploitTechnical DescriptionThird Party Advisory
- https://snyk.io/vuln/SNYK-UNMANAGED-JUCEFRAMEWORKJUCE-2388607ExploitPatchThird Party Advisory
- https://github.com/juce-framework/JUCE/commit/2e874e80cba0152201aff6a4d0dc407997PatchThird Party Advisory
- https://snyk.io/research/zip-slip-vulnerabilityExploitTechnical DescriptionThird Party Advisory
- https://snyk.io/vuln/SNYK-UNMANAGED-JUCEFRAMEWORKJUCE-2388607ExploitPatchThird Party Advisory
FAQ
What is CVE-2021-23520?
CVE-2021-23520 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The package juce-framework/juce before 6.1.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the ZipFile::uncompressEntry function in juce_ZipFile.cpp. This vulnerability ...
How severe is CVE-2021-23520?
CVE-2021-23520 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23520?
Check the references section above for vendor advisories and patch information. Affected products include: Juce Juce.