Advertisement

Widespread ‘Zip Slip’ vulnerability affects AWS, HP tools, researchers say

A new widespread vulnerability that lets an attacker execute remote code affects Web development tools offered by Amazon Web Services, HP, and other companies, according to secure-coding startup Snyk.
PHP
Software developer programming code on computer.

A new widespread vulnerability that lets an attacker execute remote commands affects web development tools offered by Amazon Web Services, HP, and other companies, according to secure-coding startup Snyk.

The so-called “Zip Slip” vulnerability, which is particularly prevalent in JavaScript, “affects thousands of projects” supported by those internet giants plus other companies, Snyk co-founder Danny Grander said in an advisory.

“[T]his type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries,” Grander wrote.

The vulnerability allows an attacker to “gain access to parts of the file system outside of the target folder in which they should reside,” according to Snyk, potentially letting the adversary overwrite configuration files. To do that, an attacker needs both a “a malicious archive and extraction code that does not perform validation checking,” the firm said.

Advertisement

Snyk said that it began privately disclosing the vulnerability to affected coding libraries on April 15, and that Amazon, HP and others have since released patches.

“Given the severity and widespread nature of the Zip Slip vulnerability, I very strongly recommend you spend some time ensuring you are not vulnerable either through other libraries or your own code,” Grander wrote.

Snyk included a video demonstrating the exploit in Grander’s blog post:

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts