CVE-2024-24569

Name of the Vulnerable Software and Affected Versions Pixee Java Code Security Toolkit versions <=1.1.1

Description The issue is related to a partial-path traversal bypass vulnerability in the ZipSecurity#isBelowCurrentDirectory function. This vulnerability allows attackers to "escape" into sibling paths, although it still protects against escaping into higher-level directories. For example, if the running path is /my/app/path, an attacker could navigate into /my/app/path-something-else. The vulnerability is patched in version 1.1.2.

Recommendations For Pixee Java Code Security Toolkit versions <=1.1.1, update to version 1.1.2 to resolve the issue. As a temporary workaround, consider restricting the use of the ZipSecurity#isBelowCurrentDirectory function until a patch is applied.