GHSA-j945-c44v-97g6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j945-c44v-97g6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-j945-c44v-97g6/GHSA-j945-c44v-97g6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j945-c44v-97g6
- Aliases
- Published
- 2024-10-28T18:30:32Z
- Modified
- 2024-10-30T14:50:31.718967Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- MPXJ has a Potential Path Traversal Vulnerability
- Details
-
Impact
The patch for the historical vulnerability CVE-2020-35460 in MPXJ is incomplete as there is still a possibility that a malicious path could be constructed which would not be picked up by the original fix and allow files to be written to arbitrary locations.
Patches
The issue is addressed in MPXJ version 13.5.1
Workarounds
Do not pass zip files to MPXJ.
References
N/A
Credits
Issue report and patch provided by yyjLF and sprinkle
- References
-
- https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
- https://nvd.nist.gov/vuln/detail/CVE-2024-49771
- https://github.com/joniles/mpxj/commit/8002802890dfdc8bc74259f37e053e15b827eea0
- https://github.com/joniles/mpxj
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mpxj/CVE-2024-49771.yml
Affected packages
Maven / net.sf.mpxj:mpxj
Package
- Name
- net.sf.mpxj:mpxj
- View open source insights on deps.dev
- Purl
- pkg:maven/net.sf.mpxj/mpxj
Affected versions
8.*
8.3.5
8.4.0
8.5.0
8.5.1
9.*
9.0.0
9.1.0
9.2.0
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.3.0
9.3.1
9.4.0
9.5.0
9.5.1
9.5.2
9.6.0
9.7.0
9.8.0
9.8.1
9.8.2
9.8.3
10.*
10.0.0
10.0.1
10.0.3
10.0.4
10.0.5
10.1.0
10.2.0
10.3.0
10.4.0
10.5.0
10.6.0
10.6.1
10.6.2
10.7.0
10.8.0
10.9.0
10.9.1
10.10.0
10.11.0
10.12.0
10.13.0
10.14.0
10.14.1
10.15.0
10.16.0
10.16.1
10.16.2
11.*
11.0.0
11.1.0
11.2.0
11.3.0
11.3.1
11.3.2
11.4.0
11.5.0
11.5.1
11.5.2
11.5.3
11.5.4
12.*
12.0.0
12.0.1
12.0.2
12.1.0
12.1.1
12.1.2
12.1.3
12.2.0
12.3.0
12.4.0
12.5.0
12.6.0
12.7.0
12.8.0
12.8.1
12.9.0
12.9.1
12.9.2
12.9.3
12.10.0
12.10.1
12.10.2
12.10.3
13.*
13.0.0
13.0.1
13.0.2
13.1.0
13.2.0
13.2.1
13.3.0
13.3.1
13.4.0
13.4.1
13.4.2
13.5.0
RubyGems / mpxj
Package
- Name
- mpxj
- Purl
- pkg:gem/mpxj
Affected versions
8.*
8.3.5
8.4.0
8.5.0
8.5.1
9.*
9.0.0
9.1.0
9.2.0
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.3.0
9.3.1
9.4.0
9.5.0
9.5.1
9.5.2
9.6.0
9.7.0
9.8.0
9.8.1
9.8.2
9.8.3
10.*
10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.1.0
10.2.0
10.3.0
10.4.0
10.5.0
10.6.0
10.6.1
10.6.2
10.7.0
10.8.0
10.9.0
10.9.1
10.10.0
10.11.0
10.12.0
10.13.0
10.14.0
10.14.1
10.15.0
10.16.0
10.16.1
10.16.2
11.*
11.0.0
11.1.0
11.2.0
11.3.0
11.3.1
11.3.2
11.4.0
11.5.0
11.5.1
11.5.2
11.5.3
11.5.4
12.*
12.0.0
12.0.1
12.0.2
12.1.0
12.1.1
12.1.2
12.1.3
12.2.0
12.3.0
12.4.0
12.5.0
12.6.0
12.7.0
12.8.0
12.8.1
12.9.0
12.9.1
12.9.2
12.9.3
12.10.0
12.10.1
12.10.2
12.10.3
13.*
13.0.0
13.0.1
13.0.2
13.1.0
13.2.0
13.2.1
13.3.0
13.3.1
13.4.0
13.4.1
13.5.0
PyPI / mpxj
Package
- Name
- mpxj
- View open source insights on deps.dev
- Purl
- pkg:pypi/mpxj
Affected versions
9.*
9.0.0
9.1.0
9.2.0
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.3.0
9.3.1
9.4.0
9.5.0
9.5.1
9.5.2
9.6.0
9.7.0
9.8.0
9.8.1
9.8.2
9.8.3
10.*
10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.1.0
10.2.0
10.3.0
10.4.0
10.5.0
10.6.0
10.6.1
10.6.2
10.7.0
10.8.0
10.9.0
10.9.1
10.10.0
10.11.0
10.12.0
10.13.0
10.14.0
10.14.1
10.15.0
10.16.0
10.16.1
10.16.2
11.*
11.0.0
11.1.0
11.2.0
11.3.0
11.3.1
11.3.2
11.4.0
11.5.0
11.5.1
11.5.2
11.5.3
11.5.4
12.*
12.0.0
12.0.1
12.0.2
12.1.1
12.1.2
12.1.3
12.2.0
12.3.0
12.4.0
12.5.0
12.6.0
12.7.0
12.8.0
12.8.1
12.9.0
12.9.1
12.9.2
12.9.3
12.10.0
12.10.1
12.10.2
12.10.3
13.*
13.0.0
13.0.1
13.0.2
13.1.0
13.2.0
13.2.1
13.3.0
13.3.1
13.4.0
13.4.1
13.4.2
13.5.0
NuGet / net.sf.mpxj
Package
- Name
- net.sf.mpxj
- View open source insights on deps.dev
- Purl
- pkg:nuget/net.sf.mpxj
Affected versions
8.*
8.3.5
8.4.0
8.5.0
8.5.1
9.*
9.0.0
9.1.0
9.2.0
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.3.0
9.3.1
9.4.0
9.5.0
9.5.1
9.5.2
9.6.0
9.7.0
9.8.0
9.8.1
9.8.2
9.8.3
10.*
10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.1.0
10.2.0
10.3.0
10.4.0
10.5.0
10.6.0
10.6.1
10.6.2
10.7.0
10.8.0
10.9.0
10.9.1
10.10.0
10.11.0
10.12.0
10.13.0
10.14.0
10.14.1
10.15.0
10.16.0
10.16.1
10.16.2
11.*
11.0.0
11.1.0
11.2.0
11.3.0
11.3.1
11.3.2
11.4.0
11.5.0
11.5.1
11.5.2
11.5.3
11.5.4
12.*
12.0.0
12.0.1
12.0.2
12.1.0
12.1.1
12.1.2
12.1.3
12.2.0
12.3.0
12.4.0
12.5.0
12.6.0
12.7.0
12.8.0
12.8.1
12.9.0
12.9.1
12.9.2
12.9.3
12.10.0
12.10.1
12.10.2
12.10.3
13.*
13.0.0
13.0.1
13.0.2
13.1.0
13.2.0
13.2.1
13.3.0
13.3.1
13.4.0
13.4.1
13.4.2
13.5.0
NuGet / net.sf.mpxj-for-csharp
Package
- Name
- net.sf.mpxj-for-csharp
- View open source insights on deps.dev
- Purl
- pkg:nuget/net.sf.mpxj-for-csharp
Affected versions
8.*
8.3.5
8.4.0
8.5.0
8.5.1
9.*
9.0.0
9.1.0
9.2.0
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.3.0
9.3.1
9.4.0
9.5.0
9.5.1
9.5.2
9.6.0
9.7.0
9.8.0
9.8.1
9.8.2
9.8.3
10.*
10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.1.0
10.2.0
10.3.0
10.4.0
10.5.0
10.6.0
10.6.1
10.6.2
10.7.0
10.8.0
10.9.0
10.9.1
10.10.0
10.11.0
10.12.0
10.13.0
10.14.0
10.14.1
10.15.0
10.16.0
10.16.1
10.16.2
11.*
11.0.0
11.1.0
11.2.0
11.3.0
11.3.1
11.3.2
11.4.0
11.5.0
11.5.1
11.5.2
11.5.3
11.5.4
12.*
12.0.0
12.0.1
12.0.2
12.1.0
12.1.1
12.1.2
12.1.3
12.2.0
12.3.0
12.4.0
12.5.0
12.6.0
12.7.0
12.8.0
12.8.1
12.9.0
12.9.1
12.9.2
12.9.3
12.10.0
12.10.1
12.10.2
12.10.3
13.*
13.0.0
13.0.1
13.0.2
13.1.0
13.2.0
13.2.1
13.3.0
13.3.1
13.4.0
13.4.1
13.4.2
13.5.0
NuGet / net.sf.mpxj-for-vb
Package
- Name
- net.sf.mpxj-for-vb
- View open source insights on deps.dev
- Purl
- pkg:nuget/net.sf.mpxj-for-vb
Affected versions
8.*
8.3.5
8.4.0
8.5.0
8.5.1
9.*
9.0.0
9.1.0
9.2.0
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.3.0
9.3.1
9.4.0
9.5.0
9.5.1
9.5.2
9.6.0
9.7.0
9.8.0
9.8.1
9.8.2
9.8.3
10.*
10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.1.0
10.2.0
10.3.0
10.4.0
10.5.0
10.6.0
10.6.1
10.6.2
10.7.0
10.8.0
10.9.0
10.9.1
10.10.0
10.11.0
10.12.0
10.13.0
10.14.0
10.14.1
10.15.0
10.16.0
10.16.1
10.16.2
11.*
11.0.0
11.1.0
11.2.0
11.3.0
11.3.1
11.3.2
11.4.0
11.5.0
11.5.1
11.5.2
11.5.3
11.5.4
12.*
12.0.0
12.0.1
12.0.2
12.1.0
12.1.1
12.1.2
12.1.3
12.2.0
12.3.0
12.4.0
12.5.0
12.6.0
12.7.0
12.8.0
12.8.1
12.9.0
12.9.1
12.9.2
12.9.3
12.10.0
12.10.1
12.10.2
12.10.3
13.*
13.0.0
13.0.1
13.0.2
13.1.0
13.2.0
13.2.1
13.3.0
13.3.1
13.4.0
13.4.1
13.4.2
13.5.0
NuGet / MPXJ.Net
Package
- Name
- MPXJ.Net
- View open source insights on deps.dev
- Purl
- pkg:nuget/MPXJ.Net