CVE-2021-43099

Published
View on NVD ↗
CVSS v3
4.9
MEDIUM
CVSS v2
4
MEDIUM
Affected
1
PROJECT

Description

An Archive Extraction (AKA "Zip Slip) vulnerability exists in bbs 5.3 in the UpgradeNow function in UpgradeManageAction.java, which unzips the arbitrary upladed zip file without checking filenames. The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe).

diyhi/bbs
diyhi/bbs
巡云轻论坛是一款基于 JDK21 + Spring Boot 4.x 构建的现代社区系统,采用前后端分离架构,自适应移动端与 PC 端。系统集成论坛与问答模块。针对高频访问数据表引入分表存储策略,有效解决单表性能瓶颈。论坛全面适配国产信创达梦数据库及 MySQL,是追求极致性能与合规性的现代社区首选方案。 演示站:https://bbs3.diyhi.com
GitHubGitHub
1.08K