This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Path Traversal in Deep Java Library (DJI). π **Consequences**: Attackers can overwrite system files by inserting absolute path archives. π₯ **Impact**: High severity (CVSS 9.8).β¦
π‘οΈ **CWE**: CWE-22 (Path Traversal). π **Flaw**: The library fails to sanitize archive entries. It allows absolute paths, enabling direct insertion into the system filesystem instead of the intended sandbox.
Q3Who is affected? (Versions/Components)
π₯ **Vendor**: Deep Java Library (djl). π¦ **Affected**: Versions **0.1.0** up to **0.27.0**. π« **Fixed**: Version 0.28.0 and later are safe.
Q4What can hackers do? (Privileges/Data)
π» **Privileges**: Runs with the user's privileges. π **Data**: Can overwrite critical system files. 𧨠**Result**: Remote Code Execution (RCE) potential, service disruption, or data theft via file manipulation.
π΅οΈ **Public Exp**: No specific PoC code provided in data. π’ **Status**: Publicly disclosed via GitHub Advisory. β οΈ **Risk**: High likelihood of wild exploitation due to low barrier to entry.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for `djl` dependency versions < 0.28.0. π **Audit**: Review code for loading archives from untrusted sources. π οΈ **Tool**: Use SAST/DAST tools detecting CWE-22 in Java archive handling.