Giters

UpendoVentures / Upendo-DNN-Simple-Auth-Provider

This extension for DNN allows you to switch from the default DNN login, to use a more user-friendly approach that requires entering a code from your email account.

Home Page:https://upendoventures.com/What/CMS/DNN

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ICSharpCode.SharpZipLib.dll: 1 vulnerabilities (highest severity is: 5.5)

mend-bolt-for-github opened this issue · comments

commented
Vulnerable Library - ICSharpCode.SharpZipLib.dll

ICSharpCode.SharpZipLibrary

Library home page: https://api.nuget.org/packages/netsword.common.icsharpcode.sharpziplib.0.84.0.nupkg

Path to vulnerable library: /Build/ICSharpCode.SharpZipLib.dll

Found in HEAD commit: 2db70b6cdbcc474cf1a7e2a73f7d20f87c3af815

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (ICSharpCode.SharpZipLib.dll version) Remediation Possible**
CVE-2018-1002208 Medium 5.5 ICSharpCode.SharpZipLib.dll Direct SharpZipLib - 1.0.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-1002208

Vulnerable Library - ICSharpCode.SharpZipLib.dll

ICSharpCode.SharpZipLibrary

Library home page: https://api.nuget.org/packages/netsword.common.icsharpcode.sharpziplib.0.84.0.nupkg

Path to vulnerable library: /Build/ICSharpCode.SharpZipLib.dll

Dependency Hierarchy:

  • ICSharpCode.SharpZipLib.dll (Vulnerable Library)

Found in HEAD commit: 2db70b6cdbcc474cf1a7e2a73f7d20f87c3af815

Found in base branch: dev

Vulnerability Details

SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Publish Date: 2018-07-25

URL: CVE-2018-1002208

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002208

Release Date: 2018-07-25

Fix Resolution: SharpZipLib - 1.0.0

Step up your Open Source Security Game with Mend here