Security Bulletin #22-003 - DotNetZip.Semvered external library vulnerability

First published: 4th July 2022
Last updated: 4th July 2022
Severity: Low


A vulnerability has been found in the implementation of DotNetZip.Semvered before 1.11.0. This affects the following supported DriveLock products (supported by the time this bulletin was created):

  • DriveLock 2020.2
  • DriveLock 2021.1
  • DriveLock 2021.2
  • DriveLock 2022.1


DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

The DriveLock security awareness component and the DES use this component to unzip content, which was previously packed by DriveLock itself.

A full list of related CVEs is available listed in the following section.



Beginning with our next release 2022.2 DriveLock will use a different library for handling ZIP files. Customers can then update to this version.

How to update your environment

All customers can update their environment as soon our new version DriveLock 2022.2 has been officially released.