Public Disclosure of a Critical Arbitrary File Overwrite Vulnerability: Zip Slip
Zip Slip is exploited using a specially crafted archive that holds directory traversal filenames (e.g.
../../evil.sh). The vulnerability can affect numerous archive formats, including
Watch the video below to see a live exploit of the Zip Slip vulnerability:
If you’d like more information on this vulnerability, including the libraries and projects that are affected, as well as find out if you’re affected, and the remediation steps you should take, read through our Zip Slip Vulnerability Research page.
Given the severity and widespread nature of the ZipSlip vulnerability, I very strongly recommend you spend some time ensuring you are not vulnerable either through other libraries or your own code.
All projects monitored by Snyk will receive alerts if they are using one of the vulnerable libraries. If your projects use Java and you are a Standard, Pro or Enterprise customer, I also recommend you use the Reports tab to discover which are using the Apache Compress library, and inspect the code of those projects to confirm it is not vulnerable.
If you would like to discuss this vulnerability in more detail, or for further media reporting, please contact us via email@example.com.
Introducing Service Accounts – API tokens for your org
June 12, 2018One of our most frequent feature requests recently has been for the ability to generate an API token that isn't tied to a particular user. We're really excited to be able to now offer our Pro and Enterprise customers the ability to create Service Accounts – a special type of user that has an API token associated with it.
10 GitHub Security Best Practices
May 30, 2018Your source code should be one of your prize possesions. You must protect it with security processes and practices to ensure you don't put your code or users at risk. This cheat sheet covers 10 best practices you should consider implementing in your GitHub repository or organisation to enforce security on your projects.
Subscribe to The Secure Developer Podcast
A podcast about security for developers, covering tools and best practices.
Interested in web security?
Subscribe to our newsletter: