Collaborate Disseminate
An exploit allows attackers to remotely overwrite archive files with their own content, and from there pivot to achieving remote command execution on the machine. Continue reading Zip Slip Flaw Affects Thousands of Open-Source Projects
Research by security firm Snyk has revealed that thousands of projects may be affected by a serious vulnerability, one so simple you’ll need to put a cushion on your desk before you read any further (in case of involuntary headdesk injury). … Continue reading The Zip Slip vulnerability – what you need to know
A new widespread vulnerability that lets an attacker execute remote commands affects web development tools offered by Amazon Web Services, HP, and other companies, according to secure-coding startup Snyk. The so-called “Zip Slip” vulnerability, which is particularly prevalent in JavaScript, “affects thousands of projects” supported by those internet giants plus other companies, Snyk co-founder Danny Grander said in an advisory. “[T]his type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries,” Grander wrote. The vulnerability allows an attacker to “gain access to parts of the file system outside of the target folder in which they should reside,” according to Snyk, potentially letting the adversary overwrite configuration files. To do that, an attacker needs both a “a malicious archive and extraction code that does not perform validation checking,” the firm said. Snyk said that it began privately disclosing the vulnerability to […]
The post Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say appeared first on Cyberscoop.
Continue reading Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say
A new widespread vulnerability that lets an attacker execute remote commands affects web development tools offered by Amazon Web Services, HP, and other companies, according to secure-coding startup Snyk. The so-called “Zip Slip” vulnerability, which is particularly prevalent in JavaScript, “affects thousands of projects” supported by those internet giants plus other companies, Snyk co-founder Danny Grander said in an advisory. “[T]his type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries,” Grander wrote. The vulnerability allows an attacker to “gain access to parts of the file system outside of the target folder in which they should reside,” according to Snyk, potentially letting the adversary overwrite configuration files. To do that, an attacker needs both a “a malicious archive and extraction code that does not perform validation checking,” the firm said. Snyk said that it began privately disclosing the vulnerability to […]
The post Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say appeared first on Cyberscoop.
Continue reading Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say
Thousands of software projects and libraries contain code that extracts archives in an insecure way, allowing attackers to write arbitrary files outside the intended directories. In many cases, this can lead to remote code execution. The vulnerability… Continue reading Zip Slip Vulnerability Affecting Thousands of Apps Puts Systems at Risk