CVE-2018-1002209

Name of the Vulnerable Software and Affected Versions QuaZIP versions prior to 0.7.6

Description The issue allows attackers to perform directory traversal, enabling them to write to arbitrary files by including a ../ (dot dot slash) in a Zip archive entry. This is also known as 'Zip-Slip'. The vulnerability is related to insufficient path checking in the extractDir function of the JICompress component, which could allow a remote attacker to execute arbitrary code using a specially crafted archive.

Recommendations For QuaZIP versions prior to 0.7.6, update to version 0.7.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the extractDir function in the JICompress component until a patch is applied. Avoid extracting archives from untrusted sources to minimize the risk of exploitation.