CVE-2018-1263

Name of the Vulnerable Software and Affected Versions spring-integration-zip versions prior to 1.0.2

Description The issue allows for an arbitrary file write, which can be achieved by using a specially crafted zip archive, as well as other archives such as bzip2, tar, xz, war, cpio, and 7z, that holds path traversal filenames. When the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

Recommendations For spring-integration-zip versions prior to 1.0.2, update to version 1.0.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of zip archives and other affected archive types until a patch is applied. Avoid using the vulnerable zip archive processing functionality in the affected versions until the issue is resolved.