“Zip Slip” A Critical Vulnerability Exploited in Zip
Zip Vulnerability: A critical vulnerability has been discovered by the security researchers which are impacting many open source coding libraries.
The vulnerability is discovered in the Synk, the “Zip Slip” this vulnerability has occurred due to the way coders implement the libraries and plug-ins when decompressing an archive file.
Many of the archive formats such as the tar, jar, war, cpio, apk and 7z are affected by this bug. Basically this piece of vulnerability is causing files to unzip in an unintended location.
The Zip Slip can cause an arbitrary file overwrite and discovery traversal. The attacker can easily unzip the files outside the specific location which in some cases might overwrite sensitive files of an operating system which can basically allow a buffer overflow or crash the critical programs.
“The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking,” The Synk team said today in security advisory.
The Synk team have specified some libraries, which are basically affected by the Zip Slip on GitHub. Libraries which are written in programming languages such as JavaScript, Python, Ruby, .NET, GoLang and Groovy. The problem has affected the Java Eco-System.
This vulnerability has been spread on a wide variety platforms such as the code shared in StackOverFlow.
The majority of the apps which are written in Java may face the Zip Slip without developers even knowing.
The Synk team has successfully published a technical paper showing how the Zip Slip bug affects the whole system.
These researchers have also published a proof-of-concept Zip Slip archive where the developers have access to test their apps against those vulnerabilities.