CVE-2022-23793 An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0

This issue has been resolved in Joomla! 3.9.7, 4.0.6, 4.2.4, 4.3.2, 4.4.1, and 4.5.0. This issue was resolved in Joomla! 3.9.7, 4.0.6, 4.2.4, 4.3.2, 4.4.1, and 4.5.0. A bug was discovered in the Joomla! tar file extraction that could result in extracting an invalid tar package file, or extracting an invalid tar package with a corrupt directory structure. This could result in the creation of a corrupt directory structure. This issue has been resolved in Joomla! 3.9.7, 4.0.6, 4.2.4, 4.3.2, 4.4.1, and 4.5.0. Extraction of an invalid tar package could result in the creation of a corrupt directory structure. This issue has been resolved in Joomla! 3.9.7, 4.0.6, 4.2.4, 4.3.2, 4.4.1, and 4.5.0. An issue was discovered in the Joomla! tar file extraction that could result in extracting an invalid tar package file, or extracting an invalid tar package with a corrupt directory structure. This could result in the creation of a corrupt directory structure

Joomla! 3.9.7 March 2016

Fixed an issue where extracting a tar package could result in the creation of a corrupt directory structure

What is the Open Source Software Security Project?

The Open Source Software Security Project (OSSP) is an effort to get more eyes on security vulnerabilities in open source software. The OSSP is a collaboration between many open source software developers and security experts who are dedicated to improving the security of open source software.

The most important thing that you need to know about the OSSP is that they're committed to raising awareness of security issues in open source software. They also have a way for people to find out about new vulnerabilities without alerting hackers. This allows admins, developers, and anyone else involved with Open Source Software Security projects to monitor their systems for any potential threats.

Another advantage of the OSSP is that it's free for everyone involved in the project. You don't have to be a developer or an admin in order to see whether or not your system has been affected by new vulnerabilities throughout this project.

How do I know if my site is vulnerable?

If you need to determine if your site is vulnerable, you can do so by following these steps:
- Log into the Joomla! admin area
- Go to System > Components
- Locate and click on the Install tab at the top of the page
- In the Search box, enter “Extract Tar Packages”. This will display a list of all installed extensions that have this feature enabled.
- Review each extension for an option to disable it (by clicking on its name in the list) or enable it (by clicking on its name and then selecting Enable). If you see an option for “Disable Installed Extensions”, then select that option.
- Scroll down and click on the "Extract tar packages" link at the bottom of the list. This will display all extensions that are enabled with this feature. You will be able to see if any extensions are disabled by their description in bold text.

Timeline

Published on: 03/30/2022 16:15:00 UTC
Last modified on: 04/05/2022 12:26:00 UTC

References

• https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html
• http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23793