#VU66220 Out-of-bounds write in UnZip


Published: 2022-08-09

Vulnerability identifier: #VU66220

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0529

CWE-ID: CWE-787

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
UnZip
Client/Desktop applications / Software for archiving

Vendor: Info-ZIP

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing zip archives during the conversion of a UTF-8 string to a local string. A remote attacker can create a specially crafted zip file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

UnZip: 5.2 - 6.10c22


CPE

External links
http://github.com/ByteHackr/unzip_poc
http://bugzilla.redhat.com/show_bug.cgi?id=2051395


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability