CVE-2024-48510

moderate-risk
Published 2024-11-13

Directory Traversal vulnerability in DotNetZip v.1.16.0 and before allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Do I need to act?

~
2.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: fd09cca1bcd33ee6c9abea1885136ac5b5aecd5b
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Prodotnetzip
Dotnetzip.Semverd

Affected Vendors

Dotnetzip.Semverd Project Mihula

References (4)

Patch https://gist.github.com/thomas-chauchefoin-bentley-systems/855218959116f870f0885...
Product https://github.com/haf/DotNetZip.Semverd
Product https://github.com/haf/DotNetZip.Semverd/blob/e487179b33a9a0f2631eed5fb04d2c952e...
Product https://www.nuget.org/packages/DotNetZip/
44
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 5/34 · Minimal
Exposure 7/34 · Low