Description
SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry `../evil.txt` may be extracted in the parent directory of `destFolder`. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/
Third Party Advisory x_refsource_misc
https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3
Patch, Third Party Advisory x_refsource_misc
https://github.com/icsharpcode/SharpZipLib/commit/a0e96de70b5264f4c919b09253b1522bc7a221cc
Scores
CVSS v3
7.3
EPSS
0.0155
EPSS Percentile
81.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
nuget/SharpZipLib
0 - 1.3.3NuGet
sharpziplib_project/sharpziplib
< 1.3.3
Published
Jan 26, 2022
Tracked Since
Feb 18, 2026