raboof commented on PR #12: URL: https://github.com/apache/geronimo-batchee/pull/12#issuecomment-1306969667
> Does this need a CVE assigned to it? This is up to the Apache Geronimo team to decide. It is not clear to me whether the zip files processed here are assumed come from a trusted source or not: without intimate knowledge of the project, it seems this function would be used to unzip archives with the goal of executing its contents. If that's the case, anyone who can produce these archives can perform arbitrary code execution by design, and the 'zip slip' does not provide any elevated privileges. Of course it is still a valuable change from the perspective of hardening, best practices, and avoiding non-security bugs, but without further analysis I don't necessarily see the reason for a CVE here. Perhaps you or the Geronimo team has additional background that would clarify that need, of course. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@geronimo.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
