Vulnerability Description
SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry `../evil.txt` may be extracted in the parent directory of `destFolder`. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sharpziplib Project | Sharpziplib | < 1.3.3 |
Related Weaknesses (CWE)
References
- https://github.com/icsharpcode/SharpZipLib/commit/a0e96de70b5264f4c919b09253b152PatchThird Party Advisory
- https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3Third Party Advisory
- https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/ExploitThird Party Advisory
- https://github.com/icsharpcode/SharpZipLib/commit/a0e96de70b5264f4c919b09253b152PatchThird Party Advisory
- https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3Third Party Advisory
- https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/ExploitThird Party Advisory
FAQ
What is CVE-2021-32840?
CVE-2021-32840 is a vulnerability with a CVSS score of 7.3 (HIGH). SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry `../evil.txt` may be extracted in the parent directory of `destFolder`. This leads to arbitrary...
How severe is CVE-2021-32840?
CVE-2021-32840 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32840?
Check the references section above for vendor advisories and patch information. Affected products include: Sharpziplib Project Sharpziplib.