CVE-2022-36943 — HIGH (8.1)

Q: How severe is CVE-2022-36943?

CVE-2022-36943 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-36943?

Check the references section above for vendor advisories and patch information. Affected products include: Ziparchive Project Ziparchive.

Vulnerability Description

SSZipArchive versions 2.5.3 and older contain an arbitrary file write vulnerability due to lack of sanitization on paths which are symlinks. SSZipArchive will overwrite files on the filesystem when opening a malicious ZIP containing a symlink as the first item.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Ziparchive Project	Ziparchive	<= 2.5.3

Related Weaknesses (CWE)

CWE-22 CWE-59

References

https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-vgvExploitThird Party Advisory
https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-vgvExploitThird Party Advisory

FAQ

What is CVE-2022-36943?

CVE-2022-36943 is a vulnerability with a CVSS score of 8.1 (HIGH). SSZipArchive versions 2.5.3 and older contain an arbitrary file write vulnerability due to lack of sanitization on paths which are symlinks. SSZipArchive will overwrite files on the filesystem when op...

How severe is CVE-2022-36943?

CVE-2022-36943 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-36943?

Check the references section above for vendor advisories and patch information. Affected products include: Ziparchive Project Ziparchive.