1.6.0
CVE-2023-5938 describes a Path Traversal vulnerability discovered in Arc, a file archiving tool. This flaw allows attackers to manipulate archive filenames, leading to arbitrary file extraction and potential system compromise. Versions 0.0 through 1.6.0 are affected, and a fix is available in version 1.6.0.
The vulnerability stems from insufficient filename validation when processing archives. An attacker who can provide a crafted archive to Arc can leverage this to extract files to arbitrary locations on the target filesystem. This could involve overwriting critical system files, injecting malicious code, or gaining unauthorized access to sensitive data. The potential impact includes arbitrary command execution, data breaches, and complete system takeover. This attack pattern shares similarities with other 'zip slip' vulnerabilities where archive contents are used to construct file paths without proper sanitization.
This CVE was published on 2024-05-15. There are currently no publicly known proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog as of this writing. The probability of exploitation is currently considered low due to the lack of public exploits, but the potential impact warrants attention.
Exploit Status
EPSS
0.45% (64% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Arc to version 1.6.0 or later, which includes the necessary filename validation fixes. If upgrading immediately is not feasible, consider restricting the types of archives that Arc can process and implementing strict file access controls to limit the potential damage from a successful exploit. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for suspicious archive uploads and extraction attempts. There are no specific Sigma or YARA rules readily available for this particular vulnerability, but monitoring file system modifications after archive processing is recommended.
Actualice Arc a la versión 1.6.0 o superior. Esta versión corrige la vulnerabilidad de path traversal 'zip slip' al validar correctamente los nombres de archivo dentro de los archivos. Asegúrese de que la actualización se realice en un entorno de prueba antes de aplicarla a producción.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-5938 is a Path Traversal vulnerability in Arc versions 0.0 - 1.6.0, allowing attackers to extract files to arbitrary locations via malicious archives.
If you are using Arc versions 0.0 through 1.6.0, you are potentially affected by this vulnerability. Check your Arc version and upgrade if necessary.
Upgrade Arc to version 1.6.0 or later to remediate the vulnerability. If immediate upgrade is not possible, restrict archive processing and implement file access controls.
As of now, there are no publicly known active exploits for CVE-2023-5938, but the potential impact warrants vigilance.
Refer to the official Arc project website or security advisories for the latest information and updates regarding CVE-2023-5938.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.