CVE-2021-39208

Name of the Vulnerable Software and Affected Versions SharpCompress versions prior to 0.29.0

Description The issue concerns a partial path traversal vulnerability in SharpCompress, a fully managed C# library for handling various compression types and formats. When ExtractFullPath is set to true in options, SharpCompress recreates a hierarchy of directories under the destination directory. To prevent extraction outside this directory, the destination file name path is verified to begin with the full destination directory path. However, in versions prior to 0.29.0, it is not enforced that the full destination directory path ends with a slash. This allows for the creation of a file with a name that begins as the destination directory one level up, under specific conditions, such as when the destination directory is not slash-terminated (e.g., /home/user/dir). The impact of arbitrary file creation is limited due to file name and destination directory constraints and depends on the use case.

Recommendations For SharpCompress versions prior to 0.29.0, update to version 0.29.0 to resolve the issue. As a temporary workaround, consider ensuring that the destination directory path always ends with a slash to prevent potential path traversal issues. Restrict the use of ExtractFullPath set to true in options until the update is applied.