Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
`ZipSecurity#isBelowCurrentDirectory` is vulnerable to partial-path traversal vulnerability
Vulnerability Description
The Pixee Java Code Security Toolkit is a set of security APIs meant to help secure Java code. `ZipSecurity#isBelowCurrentDirectory` is vulnerable to a partial-path traversal bypass. To be vulnerable to the bypass, the application must use toolkit version <=1.1.1, use ZipSecurity as a guard against path traversal, and have an exploit path. Although the control still protects attackers from escaping the application path into higher level directories (e.g., /etc/), it will allow "escaping" into sibling paths. For example, if your running path is /my/app/path you an attacker could navigate into /my/app/path-something-else. This vulnerability is patched in 1.1.2.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Java Code Security Toolkit 路径遍历漏洞
Vulnerability Description
Java Code Security Toolkit是一组旨在帮助保护 Java 代码安全的安全 API。 Java Code Security Toolkit 1.1.1 及之前版本存在路径遍历漏洞,该漏洞源于ZipSecurity#isBelowCurrentDirectory容易受到部分路径遍历漏洞的影响。
CVSS Information
N/A
Vulnerability Type
N/A