{"id":"CVE-2024-24569","summary":"`ZipSecurity#isBelowCurrentDirectory` is vulnerable to partial-path traversal vulnerability","details":"The Pixee Java Code Security Toolkit is a set of security APIs meant to help secure Java code. `ZipSecurity#isBelowCurrentDirectory` is vulnerable to a partial-path traversal bypass. To be vulnerable to the bypass, the application must use toolkit version \u003c=1.1.1, use ZipSecurity as a guard against path traversal, and have an exploit path. Although the control still protects attackers from escaping the application path into higher level directories (e.g., /etc/), it will allow \"escaping\" into sibling paths. For example, if your running path is /my/app/path you an attacker could navigate into /my/app/path-something-else. This vulnerability is patched in 1.1.2.\n\n","aliases":["GHSA-qh4g-4m4w-jgv2"],"modified":"2026-04-02T10:02:41.776817Z","published":"2024-02-01T19:02:17.452Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24569.json","cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/pixee/java-security-toolkit/blob/7c8e93e6fb2420fb6003c54a741e267c4f883bab/src/main/java/io/github/pixee/security/ZipSecurity.java#L82-L87"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24569.json"},{"type":"ADVISORY","url":"https://github.com/pixee/java-security-toolkit/security/advisories/GHSA-qh4g-4m4w-jgv2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24569"},{"type":"FIX","url":"https://github.com/pixee/java-security-toolkit/commit/b885b03c9cfae53d62d239037f9654d973dd54d9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pixee/java-security-toolkit","events":[{"introduced":"0"},{"fixed":"b885b03c9cfae53d62d239037f9654d973dd54d9"}]}],"versions":["v1.0.0","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.0.5","v1.0.6","v1.0.7","v1.1.0","v1.1.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-24569.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"}]}