Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-32841

Good to know:

icon
icon

Date: January 26, 2022

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.3.0 and prior to version 1.3.3, a check was added if the destination file is under destination directory. However, it is not enforced that `destDir` ends with slash. If the `destDir` is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins with the destination directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 contains a patch for this vulnerability.

Language: C#

Severity Score

Related Resources (7)

https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib
https://nvd.nist.gov/vuln/detail/CVE-2021-32841
https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/
https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.3
https://github.com/icsharpcode/SharpZipLib
https://github.com/icsharpcode/SharpZipLib/commit/5c3b293de5d65b108e7f2cd0ea8f81c1b8273f78
https://www.mend.io/vulnerability-database/CVE-2021-32841

Severity Score

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

icon

Upgrade Version

Upgrade to version Enjoy.Application - 6.1.3.230719;LINGYUN.Abp.Cli - 5.0.0-rc.1;gitmo - no_fix;Enjoy.Micro.Log - no_fix;Skyline.DataMiner.Dev.Common - 10.2.0.4;Skyline.DataMiner.Dev.Common - 10.2.6.4;Skyline.DataMiner.Dev.Common - 10.2.5.4;Volo.Abp.Cli - 0.19.0;Volo.Abp.Cli - 5.0.0-beta.1;Flubu - no_fix;Enjoy.NPOI.Extend - no_fix;dotnet-SlugCI - no_fix;Enjoy.Micro.Consul - no_fix;DK.Expressions.Shell - 4.1.10.2011081600;Microsoft.Azure.Functions.Worker.Sdk - 1.5.0-preview1;Aiwins.Rocket.Cli - no_fix;DistributeComponent - no_fix;Ingeniux_DSS_RTAPI - 10.5.128;Ingeniux_DSS_RTAPI - 10.6.154-prerelease;Mni.Core.Cli - no_fix;Cocos2D-Mono.DesktopGL - 2.3.8;dotnet-sqltest - 0.5.0;Nuke.CodeGeneration - 0.19.0;Firely.Terminal - 2.5.0-beta-1;Enjoy.EventBus.CAP.Extend - no_fix;Enjoy.Platform.Proxy - no_fix;DWF.Activities.Excel - no_fix;Enjoy.AspNetCore - no_fix;FrameworkCommon - no_fix;H-13967 - no_fix;FanhanRPATools - no_fix;ThirdPartyLibraries.GlobalTool - 2.1.1;Sanding.Util.Extension.dll - 2.0.0;Enjoy.Micro.Client - no_fix;stankins.console - no_fix;AdamBarclay.WebAssetBuilder - 1.1.0;Fib.Net.MSBuild - no_fix;HIC.RDMP.Plugin - 8.1.0-rc1;Enjoy.Micro.HealthChecks - no_fix;Enjoy.ExcelReport - no_fix;DevMark - no_fix;Microsoft.CST.AttackSurfaceAnalyzer.CLI - 2.3.272;lucene-cli - no_fix;lucene-cli - 4.8.0-beta00017;UpToYou - no_fix;Enjoy.Core - no_fix;Microsoft.CST.RecursiveExtractor.CLI - 1.1.4;MyHaven.Tool - no_fix;Nuke.Common - 6.0.0-beta0001;Nuke.Common - 0.23.0-alpha0142;Nuke.Common - 0.24.4;Torinox - no_fix;MyHavenBuild.Tool - 1.0.1;ExtCore.Repo.Tool - no_fix;Enjoy.TemplateEngine - no_fix;Microsoft.CST.DevSkim.CLI - 0.4.254;Syncer - no_fix;Mono.Addins.UtilTool - 1.3.10;TCT.Build.Cake - no_fix;ExcelProvider - 1.0.0;Enjoy.SignalR - no_fix;Enjoy.AOP - no_fix;Nibbler - 1.8.0-beta.5;Buildeploy.net - no_fix;_build - no_fix;Enjoy.Web - no_fix;Idea.Do.Cli - no_fix;Enjoy.EventBus.CAP.DataBase - no_fix;BBDownBlue - no_fix;BBDown - 1.4.7;Enjoy.Resilience.Http - no_fix;UnPak.Console - no_fix;Enjoy.CacheProvider - no_fix;Enjoy.ExcelUtility - no_fix;Jver.VerifyMicrosoftPackage - no_fix;dotnet-httpie - 0.9.0;dotnet-httpie - 0.9.0-preview-20241202-120118;AbpTools - no_fix;Thaan.Extension.DatabaseOperations - no_fix;VirtoCommerce.GlobalTool - 3.0.0-alpha.42;VirtoCommerce.GlobalTool - 3.0.0;SharpZipLib - 1.3.3;Enjoy.DocDB - no_fix;Dimmy - no_fix;Wonsen.Admin.WebApi - 1.0.6;LambdaSharp.Tool - 0.8.3.5;Firely.Server.Ingest - 2.2.0;Microsoft.CST.ApplicationInspector.CLI - 1.4.12;ISuperORM.NET.sdk - 2.0.2;ISuperORM.NET.sdk - 2.0.6;Cocos2D-Mono.Windows - 2.3.8;CommunicationComponent - no_fix;Nuke.GlobalTool - 6.0.0-beta0001;Torinox.R4 - no_fix;DWF.Activities.File - no_fix;dwl.NPOI - no_fix;Enjoy.Models - no_fix;Facade.ToolCLI - 1.2.2;Enjoy.Approve - no_fix;dotnet-compressor - 2.0.0;Enjoy.Configure - no_fix;GarMel.Daf.Web.Core - no_fix;ResumeBuilder.Cli - no_fix;Cocos2D-Mono.iOS - 2.3.9;Enjoy.DBUtility - no_fix;Snowflake.Tooling.Cli - 6.0.0;Nuke.MSBuildTaskSurrogate - no_fix;MapDownloader - no_fix;dotnet-codegencs - 1.0.1;Thaan.Extension.Selenium - 1.1.3;Thaan.Extension.Archive - no_fix;Stormancer.Cpp.BuildTool - no_fix;CreateDecisionsModule-GlobalTool - 1.0.8;TrafficGuarantee.RedisDataStorage - no_fix;Xposure.Lean.Launcher - no_fix;MddCli - no_fix;Refriender - no_fix;WolvenKit.CLI - 1.6.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us