CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-26049 – Arbitrary File Write via Archive Extraction (Zip Slip)
https://notcve.org/view.php?id=CVE-2022-26049
11 Sep 2022 — This affects the package com.diffplug.gradle:goomph before 3.37.2. It allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve remote code execution on a target system by exploiting this vulnerability. **Note:** This could have allowed a malicious zip file to extract itself into an arbitrary directory. The only file that Goomph extracts is ... • https://github.com/diffplug/goomph/commit/25f04f67ba62d9a14104bee13a0a0f2517afb8c8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •