A new widespread vulnerability that lets an attacker execute remote commands affects web development tools offered by Amazon Web Services, HP, and other companies, according to secure-coding startup Snyk. The so-called “Zip Slip” vulnerability, which is particularly prevalent in JavaScript, “affects thousands of projects” supported by those internet giants plus other companies, Snyk co-founder Danny Grander said in an advisory. “[T]his type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries,” Grander wrote. The vulnerability allows an attacker to “gain access to parts of the file system outside of the target folder in which they should reside,” according to Snyk, potentially letting the adversary overwrite configuration files. To do that, an attacker needs both a “a malicious archive and extraction code that does not perform validation checking,” the firm said. Snyk said that it began privately disclosing the vulnerability to […]
The post Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say appeared first on Cyberscoop.
Continue reading Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say→