Szarvas

**Name of the Vulnerable Software and Affected Versions** juce-framework/JUCE versions prior to 6.1.5 **Description** This issue is triggered when a malicious archive is crafted with an entry containing a symbolic link. When extracted, the symbolic link is followed outside of the target directory, allowing writing of arbitrary files on the target host. In some cases, this can allow an attacker to execute arbitrary code. The vulnerable code is in the `ZipFile::uncompressEntry` function in juce ZipFile.cpp and is executed when the archive is extracted upon calling `uncompressTo()` on a `ZipFile` object. **Recommendations** For versions prior to 6.1.5, update to version 6.1.5 or later to resolve the issue. As a temporary workaround, consider disabling the `uncompressTo()` function on `ZipFile` objects until a patch is available. Restrict access to the `juce ZipFile.cpp` module to minimize the risk of exploitation. Avoid using the `ZipFile::uncompressEntry` function in the affected `juce ZipFile.cpp` file until the issue is resolved.