CVE-2023-5938 Vulnerability Details

  /     /     /  

CVE-2023-5938 Metadata Quick Info

CVE Published: 15/05/2024 | CVE Updated: 02/08/2024 | CVE Year: 2023
Source: Nozomi | Vendor: Nozomi Networks | Product: Arc
Status : PUBLISHED

CVE-2023-5938 Description

Multiple functions use archives without properly validating the filenames therein, rendering the application vulnerable to path traversal via \'zip slip\' attacks. An administrator able to provide tampered archives to be processed by the affected versions of Arc may be able to have arbitrary files extracted to arbitrary filesystem locations. Leveraging this issue, an attacker may be able to overwrite arbitrary files on the target filesystem and cause critical impacts on the system (e.g., arbitrary command execution on the victim’s machine).

Metrics

CVSS Version: 3.1 | Base Score: 8 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* HIGH
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-22
CWE Name: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ( Path Traversal )
Source: Nozomi Networks

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-139
CAPEC Description: CAPEC-139 Relative Path Traversal