Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2019-10743 (Zip Slip Attack) #647

Closed
gnuletik opened this issue Apr 20, 2023 · 5 comments
Closed

CVE-2019-10743 (Zip Slip Attack) #647

gnuletik opened this issue Apr 20, 2023 · 5 comments
Assignees
@RamanaReddy0M
Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.

Comments

@gnuletik
Copy link

Naabu is using github.com/mholt/archiver@v3.1.1 which is vulnerable to a Zip Slip Attack.

naabu/v2/go.mod

Line 60 in ca4456c

github.com/mholt/archiver v3.1.1+incompatible // indirect

https://nvd.nist.gov/vuln/detail/CVE-2019-10743
mholt/archiver#169

Please update to https://github.com/mholt/archiver/releases/tag/v3.3.2 to fix the issue.

Security Policy

NB: I tried reporting the vulnerability to security[@]projectdiscovery.com as required by the https://github.com/projectdiscovery/naabu/security/policy but the address does not exist anymore (550 No Such User Here).
@gnuletik gnuletik added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Apr 20, 2023
@ehsandeep
Copy link
Member

Thank you @gnuletik for the issue, I will check what went wrong with the email.

@ehsandeep
Copy link
Member

I'm not sure about any security impact here, but we should update the dep.

@toufik-airane
Copy link

Dear @gnuletik,

I wanted to thank you for submitting your report.

Unfortunately for us, it appears that a typo was inadvertently included in the security.md. The correct email address to use is security@projectdiscovery.io.

Thank you for bringing this matter to our attention.

@toufik-airane
Copy link

toufik-airane commented May 1, 2023
edited
Loading

Additionally, with regards to the report's content, we presently categorize third-party concerns as being out-of-scope if there is no supporting evidence of vulnerability (such as a proof of concept) that demonstrates a tangible security impact on the target.

If you are able to provide a proof of concept demonstrating a concrete security impact on the target, we would be pleased to consider the report for inclusion in an eligible crowdsourced security program.

Meanwhile, I'm inclined to close the issue as informative. @RamanaReddy0M

We appreciate you notifying us about this matter, thank you.

@toufik-airane toufik-airane added wontfix This will not be worked on and removed wontfix This will not be worked on labels May 1, 2023
@Mzack9999
Copy link
Member

@gnuletik Thanks for notifying this potential vulnerability. After review, it seems like the automatic dependencies update is already covered via dependantbot, but we were missing an automatic library release with updated versions (added in projectdiscovery/gologger#41). Although not directly exploitable, all vulnerabilities must be mitigated and addressed. Hence thanks again for your help. I'm closing the issue as completed.

@Mzack9999 Mzack9999 added the Status: Completed Nothing further to be done with this issue. Awaiting to be closed. label Jul 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RamanaReddy0M RamanaReddy0M

Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@toufik-airane @ehsandeep @gnuletik @Mzack9999 @RamanaReddy0M