Security Advisory
ZipSlip vulnerability in elfinder.NetCore
A ZipSlip vulnerability allows malicous users to place arbitrary files to arbitrary locations.
Advisory ID: MLSA-2021-003
CVE: CVE-2021-23427
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: high
Affected versions: all versions
Fixed versions: no fix
Discovered by: Timo Müller
CVE: CVE-2021-23427
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: high
Affected versions: all versions
Fixed versions: no fix
Discovered by: Timo Müller
Product description
elFinder.NetCore is a file manager for web.
Details
When extracting Zip archives, the code does not sanitize the entry in the ZIP file before it is used to construct the full path. This can be abused to write arbitrary files to arbitrary locations.
Here the vulnerable code in FileSystemDriver.cs:
1foreach (ZipArchiveEntry entry in archive.Entries)
2{
3 try
4 {
5 //Replce zip entry path separator by system path separator
6 string file = Path.Combine(rootPath, entry.FullName)
7 .Replace("/", separator).Replace("\\", separato
8 if (file.EndsWith(separator)) //directory
9 {
10 var dir = new FileSystemDirectory(fil
11 if (!await dir.ExistsAsync)
Coordinated Disclosure Timeline
- 30/06/2021 Issue reported to Synk, which handled the vulnerability disclosure and assigned a CVE.
- 20/08/2021 Public disclosure.