PT-2015-4717 · Open Source+1 · Arj Archiver+1

Jakub Wilk

Published

2015-04-06

Updated

2022-11-13

CVE-2015-0557

CVSS v2.0

5.8

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:P

Name of the Vulnerable Software and Affected Versions Open-source ARJ archiver version 3.10.22

Description The issue allows remote attackers to conduct absolute path traversal attacks and write to arbitrary files via multiple leading slashes in a path in an ARJ archive. This occurs because the Open-source ARJ archiver does not properly remove leading slashes from paths.

Recommendations For version 3.10.22, consider restricting the use of ARJ archives from untrusted sources until a patch is available. As a temporary workaround, manually inspect and remove any multiple leading slashes in paths within ARJ archives to minimize the risk of exploitation.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2022-2889

ALT-PU-2022-2920

ALT-PU-2022-2941

ALT-PU-2022-3067

CVE-2015-0557

DLA-188-1

DSA-3213-1

MGASA-2015-0150

Affected Products

Alt Linux

Arj Archiver

PT-2015-4717 · Open Source+1 · Arj Archiver+1

CVE-2015-0557

Weakness Enumeration

Related Identifiers

Affected Products

References · 31