loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive. https://github.com/Stuk/jszip/compare/v3.7.1...v3.8.0 https://www.mend.io/vulnerability-database/WS-2023-0004 https://exchange.xforce.ibmcloud.com/vulnerabilities/244499 https://github.com/Stuk/jszip/commit/2edab366119c9ee948357c02f1206c28566cdf15
Created mozjs68 tracking bugs for this issue: Affects: fedora-all [bug 2166203] Created mozjs78 tracking bugs for this issue: Affects: fedora-all [bug 2166204] Created seamonkey tracking bugs for this issue: Affects: fedora-all [bug 2166205]
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:1428 https://access.redhat.com/errata/RHSA-2023:1428
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-48285