CVE-2021-23520

low-risk
Published 2022-01-31

The package juce-framework/juce before 6.1.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the ZipFile::uncompressEntry function in juce_ZipFile.cpp. This vulnerability is triggered when the archive is extracted upon calling uncompressTo() on a ZipFile object.

Do I need to act?

-
0.74% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Juce

Affected Vendors

Juce

References (6)

Patch https://github.com/juce-framework/JUCE/commit/2e874e80cba0152201aff6a4d0dc407997...
Exploit https://snyk.io/research/zip-slip-vulnerability
Exploit https://snyk.io/vuln/SNYK-UNMANAGED-JUCEFRAMEWORKJUCE-2388607
Patch https://github.com/juce-framework/JUCE/commit/2e874e80cba0152201aff6a4d0dc407997...
Exploit https://snyk.io/research/zip-slip-vulnerability
Exploit https://snyk.io/vuln/SNYK-UNMANAGED-JUCEFRAMEWORKJUCE-2388607
25
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal