Zip Slip
Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote command execution. It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more. This page provides the most up-to-date fix statuses for the libraries and projects that were found to be exploitable or contain a vulnerable implementation.
For more information on the technical details of Zip Slip, read http://snyk.io/research/zip-slip-vulnerability.
The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand-crafted and shared among developer communities such as StackOverflow.
The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.
Here is a vulnerable code example showing a ZipEntry path being concatenated to a destination directory without any path validation. Code similar to this has been found in many repositories across many ecosystems, including libraries which thousands of applications depend on.
Enumeration<ZipEntry> entries = zip.getEntries();
while (entries.hasMoreElements()) {
ZipEntry e = entries.nextElement();
File f = new File(destinationDir, e.getName());
InputStream input = zip.getInputStream(e);
IOUtils.copy(input, write(f));
}If you find a library or project that contains similar vulnerable code, we ask for your contribution to this repository to provide the community with the most up to date information about the Zip Slip vulnerability. To contribute, please refer to our CONTRIBUTING.md file.
Affected Libraries
Many of the following affected libraries exist because their ecosystems lack high level APIs providing the basic archive management capabilities. This results in vulnerable code being shared and reused. The following table contains the list of vulnerable libraries we found during private disclosure of Zip Slip which we aim to keep up to date, with community support, going forward as more vulnerable libraries are discovered. Some libraries that do not provide the high-level API often result in vulnerable implementations also, either through people copying and pasting vulnerable private code, or writing their own vulnerable snippets.
| Vendor | Product | Language | Confirmed vulnerable | Fixed Version | CVE | Fixed |
|---|---|---|---|---|---|---|
| npm library | unzipper | JavaScript | YES | 0.8.13 | CVE-2018-1002203 | 17/4/2018 |
| npm library | adm-zip | JavaScript | YES | 0.4.9 | CVE-2018-1002204 | 23/4/2018 |
| Java library | codehaus/plexus-archiver | Java | YES | 3.6.0 | CVE-2018-1002200 | 6/5/2018 |
| Java library | zeroturnaround/zt-zip | Java | YES | 1.13 | CVE-2018-1002201 | 26/4/2018 |
| Java library | zip4j | Java | YES | 1.3.3 | CVE-2018-1002202 | 13/6/2018 |
| .NET library | DotNetZip.Semverd | .NET | YES | 1.11.0 | CVE-2018-1002205 | 7/5/2018 |
| .NET library | SharpCompress | .NET | YES | 0.21.0 | CVE-2018-1002206 | 2/5/2018 |
| Go library | mholt/archiver | Go | YES | N/A | CVE-2019-10743 | |
| Oracle | java.util.zip | Java | * No High Level API | Documentation Fix | N/A | |
| Apache | commons-compress | Java | * No High Level API | Documentation Fix | N/A | 23/4/2018 |
| .NET library | SharpZipLib | .NET | YES | v1.0.0 | CVE-2018-1002208 | 19/8/2018 |
| Ruby gem | zip-ruby | Ruby | * No High Level API | N/A | ||
| Ruby gem | rubyzip | Ruby | YES | CVE-2018-1000544 | ||
| Ruby gem | zipruby | Ruby | * No High Level API | N/A | ||
| Go library | archive | Go | * No High Level API | N/A | ||
| Python library | tarfile | Python | YES | N/A | ||
| C++/qt library | quazip | C++ | YES | 0.7.6 | CVE-2018-1002209 | 12/6/2018 |
| Clojure library | Raynes/fs | Clojure | YES | akvo/fs 20180618-134534.a44cdd5b | N/A | 18/6/2018 |
| Go library | cloudfoundry/archiver | Go | YES | 24/5/2018 | N/A | 24/5/2018 |
| PHP library | chumper/zipper | PHP | YES | 1.0.3 | N/A | 26/2/2020 |
| Perl library | libarchive-zip-perl | Perl | YES | CVE-2018-10860 | ||
| Rust library | rs-async-zip | Rust | * No High Level API | Documentation Fix | N/A |
Projects Affected and Fixed
The following list of projects contain vulnerable code. Please add to this list as you find projects that are vulnerable to Zip Slip, or if you have further information about a project fix status.
| Vendor | Product | Fixed date | Fixed version | CVE | Vulnerable Code |
|---|---|---|---|---|---|
| Apache Storm | Storm | 2/5/2018 | 1.1.3, 1.2.2 | CVE-2018-8008 | #1 #2 #3 #4 |
| Apache Software Foundation | Apache Hadoop | 30/5/2018 #1 #2 | 2.7.7, 2.8.5, 2.9.2, 3.0.3, 3.1.1 | CVE-2018-8009 | |
| Apache | Maven | ||||
| Apache | Ant | 21/4/2018 | 1.9.12 | CVE-2018-10886 | |
| Pivotal | spring-integration-zip | 3/5/2018 | 1.0.1 | CVE-2018-1261 | |
| Pivotal | spring-integration-zip | 10/5/2018 | 1.0.2 | CVE-2018-1263 | |
| HP | Fortify Cloud Scan Jenkins Plugin | 27/4/2018 | 1.5.2 | #1 | |
| OWASP | DependencyCheck | 7/5/2018 | 3.2.0 | CVE-2018-12036 | |
| Amazon | AWS Toolkit for Eclipse | 31/5/2018 | |||
| SonarSource | SonarQube | 4/5/2018 | 6.7.4 LTS, 7.2 | #1 | |
| Cinchapi | Concourse | 30/5/2018 | #1 | ||
| Orient Technologies | OrientDB | 31/5/2018 | #1 #2 | ||
| FenixEdu | Academic | 30/5/2018 | #1 | ||
| Lucee | Lucee | 5/6/2018 | 5.2.7.63, 5.2.8.47 | #1 | |
| groovy-common-extensions | groovy-common-extensions | 3/7/2018 | 0.7.1 | #1 | |
| fabric8 | fabric8 | 5/6/2018 | 2.2.170-85 | #1 | |
| Apache | Tika | 19/9/2018 | 1.19 | ||
| Apache | DeepLearning4J | 10/24/2018 | 1.0.0-SNAPSHOT | ||
| FireGiant | WiX Toolkit | 09/19/2019 | 3.11.2 | CVE-2019-16511 | |
Defensively fixed but deemed not exploitable
Some projects were confirmed by the project maintainers that their implementation code was not vulnerable to Zip Slip. However they decided to remove or fix their implementation so that in the future, the snippets could not be copied and become vulnerable elsewhere.
| Vendor | Product | Vulnerable Code Removed | Vulnerable Code |
|---|---|---|---|
| Apache | Kylin | 24/4/2018 | #1 |
| Apache | NiFi | 24/4/2018 | #1 |
| Apache | Geode | 20/4/2018 | |
| Jenkins | Jenkins CI | 5/5/2018 | #1 |
| Elastic | ElasticSearch | 10/5/2018 | #1 |
| Pinot | 22/5/2018 | #1 | |
| AnkiDroid | Anki-Droid | 31/5/2018 | #1 |
| ata4 | bspsrc | 30/5/2018 | #1 |
| eirslett | frontend-maven-plugin | 30/5/2018 | #1 #2 |
Affected and not yet fixed
| Vendor | Product | Vulnerable Code | CVE |
|---|---|---|---|
| unknwon | cae/zip | #1 | CVE-2020-7664 |
| unknwon | cae/tz | #1 | CVE-2020-7668 |
Deemed not exploitable by the maintainer (vulnerable implementation remains)
The final list of projects are those with snippets of code that still have a vulnerable implementation, but are not exploitable. It is believed that it would not be possible to attack these projects in such a way that could lead to a malicious outcome, but the vulnerable pattern of code still exists within the code base. We strongly encourage such projects to fix the implementation both to prevent its use through other functionality, or use in other projects that copy paste snippets.
| Vendor | Product | Vulnerable Code |
|---|---|---|
| JetBrains | Intellij-community | #1 |
| Apache | Apex | #1 |
| Apache | Zeppelin | #1 |
| Apache | Reef | #1 |
| Apache | BookKeeper | #1 |
| Apache | Pulsar | #1 |
| Apache | Heron | #1 |
| Apache | Gobblin | #1 |
| Apache | Gobblin | #1 |
| Apache | SystemML | #1 |
| Gradle | Gradle | #1 |
| Gradle | Gradle | #1 |
| Gradle | Gradle | #1 |
| plasma-umass | doppio | #1 |
| streamsets | DataCollector | #1 |
For more information on Zip Slip, go to http://snyk.io/research/zip-slip-vulnerability.