CVE-2021-32840: 
C# vulnerability analysis and mitigation

SharpZipLib (also known as #ziplib), a Zip, GZip, Tar and BZip2 library, was found to contain a path traversal vulnerability (CVE-2021-32840) prior to version 1.3.3. The vulnerability was discovered and reported by Jaroslav Lobačevski from the GitHub Security Lab team. The issue was disclosed on December 8, 2021, and was patched in version 1.3.3, which was released on September 19, 2021 (GitHub Security Lab, SharpZipLib Release).

The vulnerability allows a TAR file entry '../evil.txt' to be extracted in the parent directory of the destFolder, bypassing the intended extraction directory. This path traversal vulnerability affects versions 0.86.0 through 1.2.0. The issue stems from insufficient validation of extraction paths in the TAR extraction functionality. The vulnerability has been assigned a CVSS 3.1 base score of 9.8 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Ubuntu Security).

The vulnerability can lead to arbitrary file write capabilities, which may ultimately result in code execution on the affected system. This could allow attackers to write files outside the intended extraction directory, potentially overwriting critical system files or inserting malicious code (GitHub Security Lab).

The vulnerability was patched in SharpZipLib version 1.3.3. Users are strongly advised to upgrade to this version or later. The fix includes improved validation of extraction paths to prevent directory traversal attempts. The patch was implemented through additional checks in the TAR extraction functionality (SharpZipLib Release).