Arc Vulnerable to Path Traversal Attacks via 'Zip Slip'
CVE-2023-5938

8HIGH

Key Information:

Vendor
Nozomi Networks
Status
Arc
Vendor
CVE Published:
15 May 2024

Summary

A security vulnerability exists in the Arc product from Nozomi Networks, where multiple functions fail to appropriately validate filenames within archives. This oversight exposes the application to path traversal attacks through maliciously crafted zip files. An administrator with the ability to supply altered archives may inadvertently allow an attacker to extract files to arbitrary locations on the filesystem. The potential consequences include overwriting critical system files, leading to unauthorized command execution or other severe impacts on the affected system.

Affected Version(s)

Arc 0 < 1.6.0

References

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was found by Gabriele Quagliarella of Nozomi Networks Security Research team during an internal penetration testing session.
.