CVE-2021-22114

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-22114
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22114.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-22114
Aliases
Withdrawn
2024-05-08T06:50:52.288239Z
Published
2021-03-01T18:15:19Z
Modified
2023-11-28T22:31:53.016910Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

References

Affected packages

Git / github.com/spring-projects/spring-integration-extensions

Affected ranges

Type
GIT
Repo
https://github.com/spring-projects/spring-integration-extensions
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

cass.*

cass.v0.5.0.RELEASE
cass.v0.6.0.RELEASE
cass.v0.7.0.RELEASE
cass.v0.8.0.RELEASE
cass.v0.9.0

hz.*

hz.v1.0.0-M1
hz.v1.0.0.M2
hz.v1.0.0.RELEASE
hz.v2.0.0.RELEASE
hz.v3.0.0

kafka.*

kafka.v1.0.0.M1
kafka.v1.0.0.M2
kafka.v1.0.0a.M2

kdsl.*

kdsl.v0.0.1.RELEASE
kdsl.v0.0.2.RELEASE

mqtt.*

mqtt.v1.0.0.M1

sidsl.*

sidsl.v1.0.0.M1
sidsl.v1.0.0.M2
sidsl.v1.0.0.M3
sidsl.v1.0.0.RC1

sitw.*

sitw.v1.0.0.M1
sitw.v1.0.0.RELEASE

smb.*

smb.v0.5.0.RELEASE
smb.v1.0.0.RELEASE
smb.v1.1.0.RELEASE
smb.v1.2.0.RELEASE
smb.v1.2.1.RELEASE

smpp.*

smpp.v1.0.0.GA
smpp.v1.0.0.RELEASE

splunk.*

splunk.v1.0.0.M1-fix

zip.*

zip.v1.0.0.M1
zip.v1.0.0.RELEASE
zip.v1.0.1.RELEASE
zip.v1.0.2.RELEASE
zip.v1.0.3.RELEASE