{"advisories":[{"schema_version":"1.6.0","id":"GHSA-9v85-q87q-g4vg","modified":"2024-02-16T08:24:53.140481Z","published":"2023-08-31T00:30:17Z","aliases":["CVE-2023-39139"],"summary":"Path traversal in Archive","details":"An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Pub","name":"archive","purl":"pkg:pub/archive"},"ranges":[{"type":"ECOSYSTEM","repo":null,"events":[{"introduced":"0","fixed":null,"last_affected":null,"limit":null},{"introduced":null,"fixed":"3.3.8","last_affected":null,"limit":null}],"database_specific":null}],"versions":["1.0.0","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.19","1.0.2","1.0.20","1.0.21","1.0.22","1.0.23","1.0.24","1.0.25","1.0.26","1.0.27","1.0.28","1.0.29","1.0.3","1.0.31","1.0.32","1.0.33","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","2.0.0","2.0.1","2.0.10","2.0.11","2.0.12","2.0.13","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","3.0.0","3.0.0-nullsafety.0","3.1.1","3.1.10","3.1.11","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9","3.2.0","3.2.1","3.2.2","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7"],"database_specific":{"last_known_affected_version_range":"<= 3.3.7","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-9v85-q87q-g4vg/GHSA-9v85-q87q-g4vg.json"},"ecosystem_specific":null}],"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39139"},{"type":"WEB","url":"https://github.com/brendan-duncan/archive/issues/265"},{"type":"WEB","url":"https://github.com/brendan-duncan/archive/commit/6de492385d72af044231c4163dff13a43d991c83"},{"type":"WEB","url":"https://github.com/brendan-duncan/archive/commit/edb0d480733a44d28ff3d5e4e2779153ba645ce7"},{"type":"WEB","url":"https://blog.ostorlab.co/zip-packages-exploitation.html"},{"type":"PACKAGE","url":"https://github.com/brendan-duncan/archive"},{"type":"WEB","url":"https://ostorlab.co/vulndb/advisory/OVE-2023-5"}],"database_specific":{"nvd_published_at":"2023-08-30T22:15:09Z","cwe_ids":["CWE-22"],"severity":"HIGH","github_reviewed":true,"github_reviewed_at":"2023-08-31T01:42:46Z","pub_display_url":"https://github.com/advisories/GHSA-9v85-q87q-g4vg"}},{"schema_version":"1.6.0","id":"GHSA-r285-q736-9v95","modified":"2024-10-02T13:45:54.869272Z","published":"2023-08-31T00:30:17Z","aliases":["CVE-2023-39137"],"summary":"Filename spoofing in archive","details":"An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"affected":[{"package":{"ecosystem":"Pub","name":"archive","purl":"pkg:pub/archive"},"ranges":[{"type":"ECOSYSTEM","repo":null,"events":[{"introduced":"0","fixed":null,"last_affected":null,"limit":null},{"introduced":null,"fixed":"3.3.8","last_affected":null,"limit":null}],"database_specific":null}],"versions":["1.0.0","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.19","1.0.2","1.0.20","1.0.21","1.0.22","1.0.23","1.0.24","1.0.25","1.0.26","1.0.27","1.0.28","1.0.29","1.0.3","1.0.31","1.0.32","1.0.33","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","2.0.0","2.0.1","2.0.10","2.0.11","2.0.12","2.0.13","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","3.0.0","3.0.0-nullsafety.0","3.1.1","3.1.10","3.1.11","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9","3.2.0","3.2.1","3.2.2","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7"],"database_specific":{"last_known_affected_version_range":"<= 3.3.7","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-r285-q736-9v95/GHSA-r285-q736-9v95.json"},"ecosystem_specific":null}],"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39137"},{"type":"WEB","url":"https://github.com/brendan-duncan/archive/issues/266"},{"type":"WEB","url":"https://github.com/brendan-duncan/archive/commit/0d17b270a3c33d3bed56cadd9a43da7717ab11f4"},{"type":"WEB","url":"https://blog.ostorlab.co/zip-packages-exploitation.html"},{"type":"PACKAGE","url":"https://github.com/brendan-duncan/archive"},{"type":"WEB","url":"https://ostorlab.co/vulndb/advisory/OVE-2023-3"},{"type":"WEB","url":"https://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_name_spoofing"}],"database_specific":{"nvd_published_at":"2023-08-30T22:15:09Z","cwe_ids":["CWE-20"],"severity":"HIGH","github_reviewed":true,"github_reviewed_at":"2023-08-31T01:43:38Z","pub_display_url":"https://github.com/advisories/GHSA-r285-q736-9v95"}}],"advisoriesUpdated":"2024-10-02T16:31:42.850753Z"}