CVE-2021-22114: Path Traversal
First published: Mon Mar 01 2021(Updated: )
Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
Credit: security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| VMware Spring Integration | <1.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-22114?
CVE-2021-22114 is classified as a high severity vulnerability due to its potential for arbitrary file writes.
How do I fix CVE-2021-22114?
To fix CVE-2021-22114, upgrade affected Spring Integration Zip versions to 1.0.4 or later.
What specifically does CVE-2021-22114 affect?
CVE-2021-22114 affects VMware Spring Integration Zip versions prior to 1.0.4, enabling arbitrary file write through zip and other archive formats.
How does CVE-2021-22114 exploit path traversal?
CVE-2021-22114 exploits path traversal vulnerabilities by using specially crafted zip archives that contain malicious path traversal filenames.
Are there any workarounds for CVE-2021-22114?
There are no known effective workarounds for CVE-2021-22114; the best course of action is to upgrade to the patched version.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/vmware
- canonical/vmware spring integration