Description
FileUtil.extract() enumerates all zip file entries and extracts each file without validating whether file paths in the archive are outside the intended directory. When creating an instance of TensorflowModel using the saved_model format and an exported tensorflow model, the apply() function invokes the vulnerable implementation of FileUtil.extract(). Arbitrary file creation can directly lead to code execution
Remediation
References
https://github.com/combust/mleap/pull/866#issuecomment-1738032225
https://research.jfrog.com/vulnerabilities/mleap-path-traversal-rce-xray-532656/
Related Vulnerabilities
CVE-2022-43425 Vulnerability in maven package io.jenkins.plugins:custom-checkbox-parameter
CVE-2014-3655 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2020-26256 Vulnerability in maven package org.webjars.npm:fast-csv
CVE-2022-25883 Vulnerability in maven package org.webjars.npm:semver
CVE-2021-21619 Vulnerability in maven package org.jenkins-ci.plugins:claim