VULHUB ™

Versions of Info-ZIP UnZip up to and including 5.42 contain a vulnerability in the handling of pathnames for archived files. By specifying a path for an archived item which points outside the expected directory scope, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem - including paths containing system binaries and other sensitive or confidential information. This can be used to create or overwrite binaries in any desired location. Properly exploited, this grants the archive creator an elevation of privileges.

Versions of Info-ZIP UnZip up to and including 5.42 contain a vulnerability in the handling of pathnames for archived files. By specifying a path for an archived item which points outside the expected directory scope, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem - including paths containing system binaries and other sensitive or confidential information. This can be used to create or overwrite binaries in any desired location. Properly exploited, this grants the archive creator an elevation of privileges.