CVE-2018-1002202

Name of the Vulnerable Software and Affected Versions zip4j versions prior to 1.3.3

Description The issue is related to a directory traversal vulnerability, also known as 'Zip-Slip', which allows attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This can be exploited by a remote attacker using a specially crafted zip archive, potentially leading to the execution of arbitrary code. The vulnerability is associated with the incorrect restriction of the directory path name in the extractDir function of the zip4j library.

Recommendations For zip4j versions prior to 1.3.3, update to version 1.3.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the extractDir function until a patch is available. Avoid using zip archives from untrusted sources to minimize the risk of exploitation.