Over a million developers have joined DZone.

New Zip Slip Vulnerability Hits Java Apps

DZone's Guide to

New Zip Slip Vulnerability Hits Java Apps

Other languages are also at risk...

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Israel-based Synk Security has reported a new critical vulnerability with the name Zip Slip. It is an arbitrary file overwrite vulnerability via path traversal in archive formats, which can result in remote command execution (RCE).

According to the researchers who identified the vulnerability, "Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim's machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers."

Zip Slip affects:

  • Thousands of projects, including ones from Hewlett Packard, Amazon, Apache Foundation, Pivotal, and others
  • Multiple languages and platforms including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java.
  • Numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.

CVEs and full list of projects affected can be found here: https://github.com/snyk/zip-slip-vulnerability

Action Steps

Waratek Enterprise customers are protected by the standard Path Traversal Rule that remediates this vulnerability.

Waratek Patch customers will receive a virtual patch that corresponds to the vulnerability for each affected project.

Non-Waratek Customers should search through your code bases for vulnerable code and search their dependencies for vulnerable libraries and frameworks. Vulnerable code must be manually fixed and tested. Vulnerable libraries and frameworks must be upgraded to the latest patched release.

For more information about the Zip Slip vulnerability or how Waratek protects against it, please contact your Waratek representative or schedule a demonstration.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

java ,security ,remote command execution ,rce

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}