movie
Challenge Information
Project: apache-commons-compress
Type: delta
Harnesses: 16
Vulnerabilities: 1
AFC Challenge Performance
Number of Unique Vulnerabilities Discovered: #
Number of Teams with Scoring PoVs: 5
Number of Teams with Scoring Patches: 5
Number of Teams with Scoring Bundles: 5
Total Points Scored for this Challenge: 55.5250690242944
Commons Compress - movie
This challenge is a delta scan challenge. The challenge includes one synthetic vulnerability (vuln_6).
Challenge Rounds
This challenge has been included in the following set of rounds.
- Exhibition Round 3
Challenge Harnesses
- ArchiverArFuzzer
- ArchiverArjFuzzer
- ArchiverCpioFuzzer
- ArchiverDumpFuzzer
- ArchiverTarStreamFuzzer
- ArchiverZipStreamFuzzer
- CompressorBZip2Fuzzer
- CompressorDeflate64Fuzzer
- CompressorGzipFuzzer
- CompressorLZ4Fuzzer
- CompressorSnappyFuzzer
- CompressorZFuzzer
- CompressSevenZFuzzer
- CompressTarFuzzer
- CompressZipFuzzer
- ExpanderFuzzer
Challenge Vulnerabilities
zip slip from url normalization
Vulnerability Information
Author: Tim Allison
Harness: ExpanderFuzzer
CWE Classification: CWE-35 , CWE-22 , CWE-29
Description
This performs URL normalization on the output path after the check for whether or not this is a zip slip. This affects all archive formats.
Creating a POV requires some effort, but the vulnerability is straightforward to detect and fix.