Skip to content

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in PanelSwWixExtension ZipFile element

High
nirbar published GHSA-mxqw-j9fm-xqhh Feb 15, 2022

Package

nuget PanelSwWixExtension (NuGet)

Affected versions

<2.38.1

Patched versions

2.38.1.61

Description

Impact

ZipFile element was implemented using SharpZipLib v0.86 which was found lately to contain a security breach

Patches

Starting with version 2.38.1 ZipFile is implemented using POCO Project version 1.11.1
Anyone using PanelSwWixExtension/ZipFile should upgrade to version 2.38.1.61 or above

Workarounds

Use a different method to perform zip

References

GHSA-m22m-h4rf-pwq3
CVE-2021-32840

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2021-32840

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.