VDB
CVE-2021-23520
CVE-2021-23520
PUBLISHED
The package juce-framework/juce before 6.1.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the ZipFile::uncompressEntry function in juce_ZipFile.cpp. This vulnerability is triggered when the archive is extracted upon calling uncompressTo() on a ZipFile object.
EPSS 0.74% · 73.3th percentile
Risk Scores
EPSS Score
0.74%
73.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | juce | 0, 4.1.0+repack-3 |
| Ubuntu:25.10 | juce | 8.0.6+ds-2, 0 |
| Ubuntu:20.04:LTS | juce | *, 0, 5.4.6~ds0-1 |
| Ubuntu:22.04:LTS | juce | 6.1.3~ds0-1, 0, 6.1.4~ds0-1 |
| Ubuntu:18.04:LTS | juce | *, 0, 4.3.0~repack-1 |
| Ubuntu:24.04:LTS | juce | 0, 7.0.5+ds-2, 7.0.5+ds-1build2 |
Exploit Intelligence
Timeline
- Jan 31, 2022 CVE Published
- Feb 1, 2022 EPSS Score
- Mar 26, 2022 EPSS Score
- May 17, 2022 EPSS Score
- Jul 9, 2022 EPSS Score
- Sep 1, 2022 EPSS Score
- Oct 23, 2022 EPSS Score
- Dec 15, 2022 EPSS Score
- Feb 6, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 31, 2023 EPSS Score
- May 22, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-23520 third-party-advisory
- https://snyk.io/vuln/SNYK-UNMANAGED-JUCEFRAMEWORKJUCE-2388607 third-party-advisory
- https://snyk.io/research/zip-slip-vulnerability third-party-advisory
- https://github.com/juce-framework/JUCE/commit/2e874e80cba0152201aff6a4d0dc407997d10a7f third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-23520 third-party-advisory