close

Spring Integration Zip 1.0.4 & CVE-2021-22114

Dear Spring community,

On behalf of the team and everyone who contributed, it is my pleasure to announce 1.0.4.RELEASE version for Spring Integration Zip extension.

CVE-2021-22114

The UnZipTransformer doesn’t cover all the cases for Zip Slip Vulnerability and some particular zip entry names may still end up outside of working directory.

The updated fix has been released in the spring-integration-zip-1.0.4.RELEASE version together with some other bug fixes and improvements. We also have published a new advisory for CVE-2021-22114.

Credit: Trung Pham, Viettel Cyber Security.

Everybody who’s using unzip feature from Spring Integration Zip is encouraged to upgrade respectively.

Cheers, 
Artem

comments powered by Disqus