Arbitrary file access during archive extraction ("Zip Slip") [VERY LOW IMPACT]

css4j / echosvg

SVG implementation in the Java™ Language, fork of Apache Batik, supporting level 4 selectors and colors.

Apache License 2.0

39 stars 2 forks source link

Arbitrary file access during archive extraction ("Zip Slip") [VERY LOW IMPACT] #98

Closed carlosame closed 4 months ago

carlosame commented 4 months ago

A static method in the ClassFileUtilities class is vulnerable to a "Zip Slip" attack, see security/code-scanning#32. That method isn't used at all by the main EchoSVG code so the security impact is minimal, almost zero.

Tracking issue for:

[x] https://github.com/css4j/echosvg/security/code-scanning/32