Description
WS-2019-0231 - Medium Severity Vulnerability
Vulnerable Library - adm-zip-0.4.4.tgz
A Javascript implementation of zip for nodejs. Allows user to create or extract zip files both in memory or to/from disk
Library home page: https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.4.tgz
Path to dependency file: angular/package.json
Path to vulnerable library: angular/node_modules/adm-zip
Dependency Hierarchy:
- cldr-data-downloader-0.3.2.tgz (Root Library)
- ❌ adm-zip-0.4.4.tgz (Vulnerable Library)
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Vulnerability Details
adm-zip versions before 0.4.9 are vulnerable to Arbitrary File Write due to extraction of a specifically crafted archive that contains path traversal filenames
Publish Date: 2018-04-22
URL: WS-2019-0231
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/994
Release Date: 2019-09-09
Fix Resolution: 0.4.9
Step up your Open Source Security Game with WhiteSource here