raboof commented on PR #12: URL: https://github.com/apache/geronimo-batchee/pull/12#issuecomment-1319681866
> "anywhere" does not mean "downloaded from a random source" but literally "put by an user there". So BatchEE does not take into account the zip creation of the zip it extracts but it must be put intentionally by end user there so if it is insecure the user intentionally put an insecure zip, similarly to put an attacker code voluntary in tomcat webapps folder. That's indeed how I understood your previous comment. Based on this it doesn't look like the zip slip provides any additional privileges to an attacker (as an attacker that can control the zip already has full control, right?). If that's indeed the case I don't see a reason to issue a CVE. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@geronimo.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org