CVE-2022-48285: Path Traversal
First published: Sun Jan 29 2023(Updated: )
A flaw was found in the JSZip package. Affected versions of JSZip could allow a remote attacker to traverse directories on the system caused by the failure to sanitize filenames when files are loaded with `loadAsync`, which makes the library vulnerable to a Zip Slip attack. By extracting files from a specially crafted archive, an attacker could gain access to parts of the file system outside of the target folder, overwrite the executable files, and execute arbitrary commands on the system.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jszip Project Jszip | <3.8.0 | |
| redhat/jszip | <3.8.0 | 3.8.0 |
| IBM Cognos Analytics | <=12.0 | |
| IBM Cognos Analytics | <=11.2.x | |
| IBM Cognos Analytics | <=11.1.x | |
| npm/jszip | <3.8.0 | 3.8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-48285 https://nvd.nist.gov/vuln/detail/CVE-2022-48285 https://exchange.xforce.ibmcloud.com/vulnerabilities/244499 https://github.com/Stuk/jszip/commit/2edab366119c9ee948357c02f1206c28566cdf15 https://github.com/Stuk/jszip/compare/v3.7.1...v3.8.0 https://www.mend.io/vulnerability-database/WS-2023-0004
- https://bugzilla.redhat.com/show_bug.cgi?id=2165797
- https://access.redhat.com/errata/RHSA-2023:1428
- https://access.redhat.com/security/cve/cve-2022-48285
- https://exchange.xforce.ibmcloud.com/vulnerabilities/244499
- https://github.com/Stuk/jszip/commit/2edab366119c9ee948357c02f1206c28566cdf15
- https://github.com/Stuk/jszip/compare/v3.7.1...v3.8.0
- https://www.mend.io/vulnerability-database/WS-2023-0004
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2166203
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2166204
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2166205
- https://security.netapp.com/advisory/ntap-20240621-0005/
- https://www.ibm.com/support/pages/node/7026692 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2022-48285
- https://security.netapp.com/advisory/ntap-20240621-0005
- https://github.com/advisories/GHSA-36fh-84j7-cv5h (Advisory)
Frequently Asked Questions
What is the vulnerability ID of this vulnerability?
The vulnerability ID of this vulnerability is CVE-2022-48285.
What is the title of this vulnerability?
The title of this vulnerability is 'loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.'
What is the severity of CVE-2022-48285?
The severity of CVE-2022-48285 is high.
How does CVE-2022-48285 affect JSZip?
CVE-2022-48285 affects JSZip by allowing a remote attacker to traverse directories on the system through a Zip Slip attack.
How do I fix CVE-2022-48285 in JSZip?
To fix CVE-2022-48285 in JSZip, update to version 3.8.0 or later.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-48285
- agent/software-canonical-lookup
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/ibm-support
- source/IBM
- collector/nvd-api
- source/NVD
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-36fh-84j7-cv5h
- agent/references
- agent/last-modified-date
- collector/nvd-cve
- agent/tags
- agent/event
- agent/softwarecombine
- collector/github-advisory
- vendor/jszip project
- canonical/jszip project jszip
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0
- version/ibm cognos analytics/11.2.x
- version/ibm cognos analytics/11.1.x
- package-manager/npm