CVE-2018-1002200

Sažetak

plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Reference

https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
https://snyk.io/research/zip-slip-vulnerability
https://github.com/snyk/zip-slip-vulnerability
https://github.com/codehaus-plexus/plexus-archiver/pull/87
https://github.com/codehaus-plexus/plexus-archiver/commit/f8f4233508193b70df33759ae9dc6154d69c2ea8
https://www.debian.org/security/2018/dsa-4227
https://access.redhat.com/errata/RHSA-2018:1837
https://access.redhat.com/errata/RHSA-2018:1836

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

02-08-2023 - 16:17

Objavljeno

25-07-2018 - 17:29