A critical vulnerability has been disclosed by security researchers impacting many open source coding libraries. The researchers discovered the vulnerability within Synk, the “Zip Slip” the vulnerability occurred because of the way coders implement libraries and plugins when decompressing an archived file.
Many archive formats such as tar, jar, war, cpio, apk and 7z are affected by this bug. This specific vulnerability is causing files to unzip in an unintended location. Zip Slip can cause an arbitrary file overwrite and directory traversal. An attacker can unzip files outside of the specified location which in some cases might overwrite sensitive files of an operating system which can potentially allow for a buffer overflow or crash critical programs.
“The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking,” the Synk team said today in a security advisory.
The Synk team have listed some libraries that are affected by Zip Slip on GitHub. Libraries that are written in programming languages such as JavaScript, Python, Ruby, .NET, GoLang and Groovy. The issue mainly affects the Java eco-system.
The vulnerability is widespread within many platforms such as code shared in StackOverflow. Many apps that are written in Java may be vulnerable to Zip Slip without developers even knowing. The Synk team have published a technical paper showing how the Zip Slip bug affects the systems. The Researchers have also published a proof-of-concept Zip Slip archive where developers can test their apps for the vulnerabilities. Finally they have even provided a demo video of the vulnerability.