CVE-2021-32840: Path Traversal in SharpZipLib
7.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.80715%
CWE
Published
2/1/2022
Updated
2/3/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
SharpZipLib | nuget | < 1.3.3 | 1.3.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper path validation during TAR extraction. The security advisory and added tests specifically target TarArchive.ExtractContents
behavior. The tests demonstrate that when allowTraverse=false, the function
previously allowed parent directory traversal. The method's failure to properly sanitize paths and enforce containment within the target directory (via Path.GetFullPath
checks and directory termination) made it vulnerable. The patch likely added proper path normalization and validation checks in this method.