Severe security vulnerability in Bower’s zip archive extraction
Bower, a popular web package manager, has been found to be vulnerable to archive extractions due to Zip Slip vulnerabilities in its decompress-zip dependency. Two security incidents have been associated with this issue, which were fixed in Bower 1.8.6 and 1.8.8. Despite the rise of other package managers like Webpack, yarn, and npm registry, Bower is still heavily relied upon with nearly two million downloads per month. A security researcher reported an arbitrary file write implemented through improper validation of symlinks resulting from the way Bower handles tar archive extraction. The issue was fixed in Bower 1.8.8 by ignoring any symlinks in packages to be installed.
Company
Snyk
Date published
Jan. 31, 2019
Author(s)
Liran Tal
Word count
995
Language
English
Hacker News points
2