In early 2021, IT security consultant Egidio Romano discovered a Zip Slip vulnerability in JFrog’s Artifactory, a leading software repository manager. This vulnerability allows attackers to execute arbitrary code through path traversal attacks when processing or extracting archive files such as Zip or Tar archives. Romano reported the flaw to JFrog’s private Bug payment Program and received USD 5,000 for his discovery.
The vulnerability is located in the org.artifactory.addon.bower.helpers.BowerExternalDependenciesHandler class, specifically in the extractBowerPackage() function, which calls the vulnerable copyEntryToFile() method. Attackers can exploit this by providing a malicious Bower package containing dot-dot-slash (../) sequences within its entry filenames, leading to Remote Code Execution (RCE) attacks. Although an admin account is typically needed to create Bower repositories, non-admin users with the ability to deploy artifacts in a Bower Virtual Repository with the “Enable Dependency Rewrite” option selected can also exploit this bug.
Path Traversal attacks, also known as Directory Traversal attacks, take advantage of insufficient input validation of user-supplied file names. These attacks involve characters that indicate “traverse to parent directory”—also known as dot-dot-slash (../) sequences—being delivered to the file system API of the operating system. This allows attackers to obtain unauthorized access to the file system and read or write any file on the system, potentially leading to Information Disclosure or Remote Code Execution attacks.
Zip Slip vulnerabilities typically originate from human error, such as forgetfulness or erroneous assumptions, and exploit developers’ lack of control by writing arbitrary files within unexpected folders. In this case, attackers can gain total control of devices running programs that are susceptible to Zip Slip attacks. These kinds of security flaws highlight the importance of rigorous input validation and secure coding practices to prevent such vulnerabilities.
Reference:
