Dear Spring community,
On behalf of the team and everyone who contributed, it is my pleasure to announce
1.0.4.RELEASE version for Spring Integration Zip extension.
UnZipTransformer doesn’t cover all the cases for Zip Slip Vulnerability and some particular zip entry names may still end up outside of working directory.
The updated fix has been released in the
spring-integration-zip-1.0.4.RELEASE version together with some other bug fixes and improvements. We also have published a new advisory for CVE-2021-22114.
Credit: Trung Pham, Viettel Cyber Security.
Everybody who’s using unzip feature from Spring Integration Zip is encouraged to upgrade respectively.