-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2024-49771.yml
35 lines (29 loc) · 956 Bytes
/
CVE-2024-49771.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
---
gem: mpxj
cve: 2024-49771
ghsa: j945-c44v-97g6
url: https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
title: MPXJ has a Potential Path Traversal Vulnerability
date: 2024-10-28
description: |
### Impact
The patch for the historical vulnerability CVE-2020-35460 in MPXJ
is incomplete as there is still a possibility that a malicious path
could be constructed which would not be picked up by the original
fix and allow files to be written to arbitrary locations.
### Patches
The issue is addressed in MPXJ version 13.5.1
### Workarounds
Do not pass zip files to MPXJ.
### References
N/A
cvss_v3: 5.3
unaffected_versions:
- "< 8.3.5"
patched_versions:
- ">= 13.5.1"
related:
url:
- https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
- https://github.com/joniles/mpxj/commit/8002802890dfdc8bc74259f37e053e15b827eea0
- https://github.com/advisories/GHSA-j945-c44v-97g6