Zip Slip

Researchers from security firm Snyk have publicized a vulnerability in multiple archive file-extraction libraries found in thousands of open-source web application projects including those from HP, Amazon, Apache, Oracle, Linkedin, Twitter, and others. Dubbed “Zip Slip,” the flaw could allow a threat actor to perform a traversal attack, enabling access to the root directory on an application and possibly granting remote code execution. In ecosystems such as .NET, Java, JavaScript, Go, and Ruby, there is no central software library for unpacking archive files, causing developers to write their own code to enable that functionality. A threat actor could create a specially-crafted archive file containing extra directory paths that will traverse up to the root directory as the file is extracted, giving the actor access to the file system outside the folder in which it should reside. Since developers share the code snippets on developer community sites, such as StackOverflow, Zip Slip has been able to spread to many software projects. The vulnerability can affect the following file types: .zip, .tar, .jar, .war, .cpio, .apk, .rar, and 7z.

The NJCCIC recommends all users and administrators of the libraries listed above review the Snyk report on Zip Slip and update to the newest, patched version as soon as possible.