iceScrum is a project management software used by some organizations for team collaboration and task management. The Zip Slip vulnerability in the import a Project component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via uploading a crafted Zip file, posing a risk to the integrity and security of the system.
You're affected if you use iceScrum v7.54 Pro On-prem. Check with: find / -name "import_a_project.jar" 2>/dev/null
Note: If you don't recognize the name "iceScrum" or "import a Project", you're probably not affected, as it's a niche software.
Version info: Not specified in the advisory.
Upgrade to iceScrum v7.55 or later.
Download from: https://www.icescrum.com/download/
- Immediate mitigations:
- Restrict network access to your iceScrum instance (firewall it from the public internet)
- Audit import a Project activity for suspicious Zip file uploads