CVE-2018-1261

Name of the Vulnerable Software and Affected Versions Spring-integration-zip versions prior to 1.0.1

Description The issue allows for an arbitrary file write, which can be achieved by using a specially crafted zip archive that holds path traversal filenames. This affects not only zip archives but also other types such as bzip2, tar, xz, war, cpio, and 7z. When the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

Recommendations For Spring-integration-zip versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing filenames within zip archives to prevent path traversal attacks. Restrict access to sensitive directories and files to minimize the risk of exploitation.