CVE-2022-21675

Name of the Vulnerable Software and Affected Versions Bytecode Viewer (BCV) versions prior to 2.11.0

Description The issue concerns Arbitrary File Write via Archive Extraction, also known as "Zip Slip". This is exploited using a specially crafted archive that holds directory traversal filenames, such as ../../evil.exe. The vulnerability can affect numerous archive formats, including zip, jar, tar, war, cpio, apk, rar, and 7z. An attacker can overwrite executable files, achieving remote command execution on the victim's machine by either invoking them remotely or waiting for the system or user to call them. In a web application context, a web shell could be placed within the application directory to achieve code execution. The impact allows an attacker to create or overwrite existing files on the filesystem.

Recommendations For versions prior to 2.11.0, upgrade to BCV v2.11.0 to receive a patch. There are no recommended workarounds aside from upgrading.