4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32841

GHSA ID

GHSA-2x7h-96h5-rq84

EPSS Score

0.57377%

CWE

CWE-22

Published

2/1/2022

Updated

2/3/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32841

CVE-2021-32841: Path Traversal in SharpZipLib

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.3.0 and prior to version 1.3.3, a check was added if the destination file is under destination directory. However, it is not enforced that destDir ends with slash. If the destDir is not slash terminated like /home/user/dir it is possible to create a file with a name thats begins with the destination directory, i.e. /home/user/dir.sh. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 contains a patch for this vulnerability.

(GitHub Advisory)

4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32841

GHSA ID

GHSA-2x7h-96h5-rq84

EPSS Score

0.57377%

CWE

CWE-22

Published

2/1/2022

Updated

2/3/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
SharpZipLib	nuget	>= 1.3.0, < 1.3.3	1.3.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the ExtractEntry method's path validation logic. The original code combined destDir with the entry's filename and checked if the full normalized path started with destDir. However, if destDir was not slash-terminated (e.g., /home/user/dir), an entry named dir.sh would result in a path like /home/user/dir/dir.sh, which passes the check. More critically, entries exploiting partial directory matches (e.g., dir.sh as a sibling file) could bypass containment checks. The patch replaced Path.GetFullPath(destFile) with the directory portion (destFileDir), ensuring the parent directory of the extracted file is strictly under destDir, mitigating partial matches. The commit diff and advisory explicitly reference this function as the patched location, confirming its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S**rpZipLi* (or #zipli*) is * Zip, *Zip, T*r *n* *Zip* li*r*ry. St*rtin* v*rsion *.*.* *n* prior to v*rsion *.*.*, * ****k w*s ***** i* t** **stin*tion *il* is un**r **stin*tion *ir**tory. *ow*v*r, it is not *n*or*** t**t `**st*ir` *n*s wit* sl*s*. I

Reasoning

T** vuln*r**ility st*ms *rom t** `*xtr**t*ntry` m*t*o*'s p*t* v*li**tion lo*i*. T** ori*in*l *o** *om*in** `**st*ir` wit* t** *ntry's *il*n*m* *n* ****k** i* t** *ull norm*liz** p*t* st*rt** wit* `**st*ir`. *ow*v*r, i* `**st*ir` w*s not sl*s*-t*rmin*

4

Basic Information

Concerned about an active attack path?

CVE-2021-32841: Path Traversal in SharpZipLib

4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI