Chall-Manager Zip Slip Vulnerability in Scenario Decoding
Vulnerability
A zip slip vulnerability has been identified in Chall-Manager, a platform-agnostic system that starts Challenges on Demand for players. The issue arises during the decoding of scenarios from zip archives, where the file path for extraction is not properly validated. This oversight can lead to zip slip attacks, allowing files to be extracted outside of the intended directory. The vulnerability exists in versions prior to 0.1.4 and can be exploited by anyone, without the need for authentication or authorization. Although it is recommended to keep Chall-Manager hidden within the infrastructure due to its extensive capabilities, this vulnerability could still be exploited if the system is exposed.
Impact
Exploitation of this vulnerability can lead to zip slip attacks, where an attacker can manipulate the contents of a zip file to be extracted outside of the intended directory, potentially overwriting critical files or disrupting the application's functionality.
Remediation
Users can upgrade to Chall-Manager version 0.1.4 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.