Spring Data Geode Zip-Slip Path Traversal Vulnerability in Snapshot Import on Windows
Vulnerability
A zip-slip path traversal vulnerability has been identified in Spring Data Geode's snapshot import feature, specifically on Windows operating systems. This vulnerability allows attackers to write files outside the designated extraction directory. It affects multiple versions of Spring Data Geode and Spring Data GemFire.
Impact
Exploitation of this vulnerability could lead to arbitrary file writes, with potential consequences including code execution, data corruption, or unauthorized persistence through startup scripts.
Remediation
Users can upgrade to the Never-Ending Support (NES) version for Spring Data Geode offered by HeroDevs. As an interim measure, it is recommended to validate the integrity and origin of snapshot archives before importing, avoid importing from untrusted sources, and run the application with minimal filesystem permissions to reduce the impact of arbitrary file writes.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.