CVE-2021-32842

Name of the Vulnerable Software and Affected Versions SharpZipLib versions 1.0.0 through 1.3.2

Description The issue affects SharpZipLib, a library for handling Zip, GZip, Tar, and BZip2 files. A check was added to ensure the destination file is under the destination directory, but it does not enforce that the baseDirectory ends with a slash. This allows for the creation of a file with a name that begins as the destination directory one level up, limited by file name and destination directory constraints. The impact depends on the use case.

Recommendations For versions 1.0.0 through 1.3.2, update to version 1.3.3 to resolve the issue. As a temporary workaround, consider ensuring that the baseDirectory always ends with a slash to prevent arbitrary file creation.