皇上,还记得我吗?我就是1999年那个Linux伊甸园啊-----24小时滚动更新开源资讯,全年无休!

Spring Integration Zip 1.0.4 & CVE-2021-22114

Dear Spring community,

On behalf of the team and everyone who contributed, it is my pleasure to announce 1.0.4.RELEASE version for Spring Integration Zip extension.

CVE-2021-22114

The UnZipTransformer doesn’t cover all the cases for Zip Slip Vulnerability and some particular zip entry names may still end up outside of working directory.

The updated fix has been released in the spring-integration-zip-1.0.4.RELEASE version together with some other bug fixes and improvements. We also have published a new advisory for CVE-2021-22114.

Credit: Trung Pham, Viettel Cyber Security.

Everybody who’s using unzip feature from Spring Integration Zip is encouraged to upgrade respectively.

Cheers,
Artem

Project Page | GitHub Issues | Contributing | Help | Chat

转自 https://spring.io/blog/2021/03/01/spring-integration-zip-1-0-4-cve-2021-22114