CVE-2023-52169

Name of the Vulnerable Software and Affected Versions 7-Zip versions prior to 24.01

Description The issue is related to an out-of-bounds read in the NTFS handler of 7-Zip. This allows an attacker to read beyond the intended buffer, with the bytes read presented as part of a filename in the file system image. The security relevance of this issue is notable in web-service use cases where untrusted users can upload files that are then extracted by a server-side 7-Zip process. The vulnerability can be exploited by a remote attacker to upload arbitrary files and gain unauthorized access to protected information.

Recommendations For versions prior to 24.01, update to version 24.01 or later to resolve the issue. As a temporary workaround, consider restricting the use of the NTFS handler in 7-Zip to minimize the risk of exploitation. Avoid using 7-Zip to extract files from untrusted sources until the issue is resolved.