Miggo Logo
Miggo Vulnerability Database
CVE-2021-23391

CVE-2021-23391: Calipso Arbitrary File Write via Archive Extraction (Zip Slip)

7.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-23391
GHSA ID
GHSA-jxcc-g75x-qgw9
EPSS Score
0.26327%
CWE
CWE-29
Published
6/8/2021
Updated
9/7/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
calipsonpm<= 0.3.54

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in module installation functionality where ZIP archive extraction occurs. The key indicators are:

  1. The Snyk PoC demonstrates exploitation through 'calipso modules download' with a malicious ZIP
  2. CWE-29 (Path Traversal) is explicitly listed
  3. The description specifies the attack vector is through module install functionality
  4. Node.js ZIP extraction vulnerabilities typically involve unsanitized path concatenation While exact line numbers aren't available, the module installation workflow (download -> extract -> write files) must contain the vulnerable path handling logic in these core module management functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** **lipso. It is possi*l* *or * m*li*ious mo*ul* to ov*rwrit* *il*s on *n *r*itr*ry *il* syst*m t*rou** t** mo*ul* inst*ll *un*tion*lity.

Reasoning

T** vuln*r**ility m*ni**sts in mo*ul* inst*ll*tion *un*tion*lity w**r* ZIP *r**iv* *xtr**tion o**urs. T** k*y in*i**tors *r*: *. T** Snyk Po* **monstr*t*s *xploit*tion t*rou** '**lipso mo*ul*s *ownlo**' wit* * m*li*ious ZIP *. *W*-** (P*t* Tr*v*rs*l)