ADVISORIES
GEM
SEVERITY
CVSS v3.x: 5.3 (Medium)
UNAFFECTED VERSIONS
- < 8.3.5
PATCHED VERSIONS
- >= 13.5.1
DESCRIPTION
Impact
The patch for the historical vulnerability CVE-2020-35460 in MPXJ is incomplete as there is still a possibility that a malicious path could be constructed which would not be picked up by the original fix and allow files to be written to arbitrary locations.
Patches
The issue is addressed in MPXJ version 13.5.1
Workarounds
Do not pass zip files to MPXJ.
References
N/A