Executive Summary

This vulnerability occurs when the Python function shutil.unpack_archive() is used to extract a ZIP archive on a Windows system. If the ZIP archive contains files with absolute Windows paths that include a drive letter (e.g., C:\...), the files can be extracted outside the intended target directory. This behavior is different from other operating systems and can lead to files being placed in unintended locations on the filesystem.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in shutil.unpack_archive() on Windows allows ZIP archives to write files outside the intended extraction directory, potentially overwriting critical files. This arbitrary file write capability could lead to unauthorized data modification or exposure.

Such unauthorized file writes and potential data integrity breaches may impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on data confidentiality, integrity, and access. If exploited, this vulnerability could result in unauthorized access or alteration of sensitive data, thereby violating these regulatory requirements.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by examining ZIP archives that are extracted using Python's shutil.unpack_archive() function on Windows systems, specifically looking for ZIP entries with absolute Windows paths containing drive letters (e.g., C:\ or D:/). Such entries may cause files to be written outside the intended extraction directory.

To detect exploitation attempts or presence of this vulnerability, you can monitor extraction operations for ZIP files containing entries with drive-prefixed paths or absolute paths.

While no specific commands are provided in the resources, a practical approach is to inspect ZIP files before extraction using Python or command-line tools to list their contents and check for entries starting with drive letters or absolute paths.

• Use Python's zipfile module to list ZIP contents and check for drive-prefixed paths:
• ```python import zipfile with zipfile.ZipFile('archive.zip') as z: for name in z.namelist(): if name[1:3] == ':/' or name[1:3] == ':\\': print(f'Drive-prefixed path found: {name}') ```
• Use command-line tools like 'zipinfo' or '7z l' to list archive contents and manually inspect for absolute Windows paths.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating Python to a version where the vulnerability has been fixed. The fix involves modifying shutil.unpack_archive() to use ZipFile.extractall(), which properly sanitizes drive-prefixed paths on Windows.

The fix has been backported and merged into Python versions 3.10 through 3.14, so upgrading to one of these patched versions will mitigate the vulnerability.

Until the update is applied, avoid extracting untrusted ZIP archives containing absolute Windows paths with drive letters using shutil.unpack_archive() on Windows.

Alternatively, manually inspect ZIP archives for suspicious entries before extraction or use safer extraction methods that sanitize paths.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is that an attacker could craft a ZIP archive with absolute paths that cause files to be extracted outside the expected directory. This could lead to overwriting or placing files in sensitive locations on a Windows system, potentially resulting in unauthorized file modification or code execution depending on the context in which the archive is unpacked.

Useful 0 Not Useful 0