#VU68298 NULL pointer dereference in UnZip - CVE-2021-4217

Cybersecurity Help s.r.o.

Published: 2022-10-13

Vulnerability identifier: #VU68298

Vulnerability risk: Medium

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-4217

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
UnZip
Client/Desktop applications / Software for archiving

Vendor: Info-ZIP

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in unzip when handling Unicode strings. A remote attacker can trick the victim to open a specially crafted archive and perform a denial of service (DoS) attack.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

UnZip: 5.2 - 6.10c22

External links
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
https://bugzilla.redhat.com/show_bug.cgi?id=2044583
https://access.redhat.com/security/cve/CVE-2021-4217

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for unzip

Amazon Linux AMI update for unzip

Multiple vulnerabilities in IBM Tivoli Application Dependency Discovery Manager

Multiple vulnerabilities in cflinuxfs3

Ubuntu update for unzip

Denial of service in unzip

openEuler update for unzip