The CVE-2023-1234 vulnerability in Stencil arises from a “zip slip” attack in the archive extraction library (github.com/jaredallard/archives). This flaw allows maliciously crafted ZIP archives to write files outside the intended extraction directory by using path traversal sequences (../). When Stencil processes such an archive—either for native extensions or repository sources—an attacker can overwrite or create arbitrary files, leading to remote code execution (RCE) or sensitive file manipulation.
The exploit occurs because the library fails to sanitize file paths during extraction. If a user extracts a malicious archive, embedded files with crafted paths (e.g., ../../malicious.sh) can escape the target directory and overwrite system or user files. While native extensions already pose inherent risks, this vulnerability extends the threat to repository archives, though exploitation requires tricking users into processing a malicious archive.
DailyCVE Form
Platform: Stencil
Version: <2.3.0
Vulnerability: Zip Slip
Severity: Medium
Date: 2023-01-15
What Undercode Say:
Exploit:
1. Craft a ZIP with traversal paths:
echo "malicious payload" > ../../exploit.sh zip -r malicious.zip ../../exploit.sh
2. Distribute the archive via repo sources.
Detection:
unzip -l malicious.zip | grep '../'
Protection:
1. Update to Stencil ≥2.3.0.
2. Sanitize paths pre-extraction:
import os
def safe_extract(zipfile, target_dir):
for file in zipfile.namelist():
if '../' in file:
raise ValueError("Malicious path detected")
os.path.join(target_dir, file)
3. Restrict extraction permissions:
chroot /safe/dir unzip user_upload.zip
Mitigation Commands:
Audit existing extractions:
find / -type f -name ".sh" -mtime -1 -exec ls -la {} \;
References:
References:
Reported By: https://github.com/advisories/GHSA-p799-q2pr-6mxj
Extra Source Hub:
Undercode
