Published on Friday, 08 June 2018 10:46Background
On 5 June 2018, Snyk Security team disclosed a critical archive extraction vulnerability dubbed Zip Slip. This vulnerability allows attackers to perform arbitrary remote command execution on affected systems. As a result, thousands of projects, including projects by HP, Amazon, Apache, Pivotal and many more, are affected.
Affected Programming Languages
Affected libraries used by programming languages include, but are not limited to:
for the complete list of affected libraries used by programming languages.
The Zip Slip vulnerability is exploited using a specially crafted archive file containing extra directory paths designed to traverse up to the root directory as the file is extracted. The attackers can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on a victim's machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both users’ machines and servers. It affects numerous archive formats such as zip, tar, jar, war, cpio, apk, rar and 7z.
Software developers are advised to:
- check if their projects contain the Zip Slip vulnerability code. Click here for more information.
- use fixed version of the libraries, in which vulnerable codes have been removed, for their project development
- add Zip Slip security testing into their application build pipeline; for instance, implementing measures to validate file paths in the archives