CVE-2021-22114

Name of the Vulnerable Software and Affected Versions Spring-integration-zip versions prior to 1.0.4

Description The issue allows for an arbitrary file write, which can be achieved by using a specially crafted zip archive, as well as other archives such as bzip2, tar, xz, war, cpio, and 7z. These archives can contain path traversal filenames. When the filename is concatenated to the target extraction directory, the final path can end up outside of the target folder.

Recommendations For Spring-integration-zip versions prior to 1.0.4, update to version 1.0.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of zip archives and other affected archive types until the update is applied. Avoid using the vulnerable zip extraction functionality in the affected versions until the issue is resolved.