{"id":"GHSA-r285-q736-9v95","summary":"Filename spoofing in archive","details":"An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.","aliases":["CVE-2023-39137"],"modified":"2024-10-02T13:45:54.869272Z","published":"2023-08-31T00:30:17Z","database_specific":{"github_reviewed_at":"2023-08-31T01:43:38Z","github_reviewed":true,"severity":"HIGH","cwe_ids":["CWE-20"],"nvd_published_at":"2023-08-30T22:15:09Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39137"},{"type":"WEB","url":"https://github.com/brendan-duncan/archive/issues/266"},{"type":"WEB","url":"https://github.com/brendan-duncan/archive/commit/0d17b270a3c33d3bed56cadd9a43da7717ab11f4"},{"type":"WEB","url":"https://blog.ostorlab.co/zip-packages-exploitation.html"},{"type":"PACKAGE","url":"https://github.com/brendan-duncan/archive"},{"type":"WEB","url":"https://ostorlab.co/vulndb/advisory/OVE-2023-3"},{"type":"WEB","url":"https://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_name_spoofing"}],"affected":[{"package":{"name":"archive","ecosystem":"Pub","purl":"pkg:pub/archive"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3.8"}]}],"versions":["1.0.0","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.19","1.0.2","1.0.20","1.0.21","1.0.22","1.0.23","1.0.24","1.0.25","1.0.26","1.0.27","1.0.28","1.0.29","1.0.3","1.0.31","1.0.32","1.0.33","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","2.0.0","2.0.1","2.0.10","2.0.11","2.0.12","2.0.13","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","3.0.0","3.0.0-nullsafety.0","3.1.1","3.1.10","3.1.11","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9","3.2.0","3.2.1","3.2.2","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7"],"database_specific":{"last_known_affected_version_range":"\u003c= 3.3.7","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-r285-q736-9v95/GHSA-r285-q736-9v95.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}