First published: 4th July 2022
Last updated: 4th July 2022
A vulnerability has been found in the implementation of DotNetZip.Semvered before 1.11.0. This affects the following supported DriveLock products (supported by the time this bulletin was created):
DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
The DriveLock security awareness component and the DES use this component to unzip content, which was previously packed by DriveLock itself.
A full list of related CVEs is available listed in the following section.
Beginning with our next release 2022.2 DriveLock will use a different library for handling ZIP files. Customers can then update to this version.
All customers can update their environment as soon our new version DriveLock 2022.2 has been officially released.