sharpcompress.0.22.0.nupkg: 1 vulnerabilities (highest severity is: 4.3) #5
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SharpCompress is a compression library for NET Standard 1.0 that can unrar, decompress 7zip, decompr...
Library home page: https://api.nuget.org/packages/sharpcompress.0.22.0.nupkg
Path to dependency file: /SamplesV2/UntarAzureFilesWithAzureFunction/src/ExtractFunction/ExtractFunction.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/sharpcompress/0.22.0/sharpcompress.0.22.0.nupkg
Found in HEAD commit: 216bf28400f470d9ba71ee4e2968bdad46892af7
Vulnerabilities
Details
Vulnerable Library - sharpcompress.0.22.0.nupkg
SharpCompress is a compression library for NET Standard 1.0 that can unrar, decompress 7zip, decompr...
Library home page: https://api.nuget.org/packages/sharpcompress.0.22.0.nupkg
Path to dependency file: /SamplesV2/UntarAzureFilesWithAzureFunction/src/ExtractFunction/ExtractFunction.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/sharpcompress/0.22.0/sharpcompress.0.22.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: 216bf28400f470d9ba71ee4e2968bdad46892af7
Found in base branch: main
Vulnerability Details
SharpCompress is a fully managed C# library to deal with many compression types and formats. Versions prior to 0.29.0 are vulnerable to partial path traversal. SharpCompress recreates a hierarchy of directories under destinationDirectory if ExtractFullPath is set to true in options. In order to prevent extraction outside the destination directory the destinationFileName path is verified to begin with fullDestinationDirectoryPath. However, prior to version 0.29.0, it is not enforced that fullDestinationDirectoryPath ends with slash. If the destinationDirectory is not slash terminated like
/home/user/dirit is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e./home/user/dir.sh. Because of the file name and destination directory constraints the arbitrary file creation impact is limited and depends on the use case. This issue is fixed in SharpCompress version 0.29.0.Publish Date: 2021-09-16
URL: CVE-2021-39208
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jp7f-grcv-6mjf
Release Date: 2021-09-16
Fix Resolution: SharpCompress - 0.29.0
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The text was updated successfully, but these errors were encountered: