CVE-2018-1002200

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions: plexus-archiver versions prior to 3.6.0

Description: The issue allows attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This is also known as 'Zip-Slip'.

Recommendations: For versions prior to 3.6.0, update to version 3.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to archive extraction functionality until a patch is available. Avoid using the affected archive extraction feature in plexus-archiver until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CESA-2018_1836

CVE-2018-1002200

DSA-4227-1

GHSA-HCXQ-X77Q-3469

MGASA-2019-0005

RHSA-2018:1836

RHSA-2018:1837

RHSA-2018_1836

SNYK-JAVA-ORGCODEHAUSPLEXUS-31680

USN-4832-1

Affected Products

Centos

Red Hat

Ubuntu

Plexis Archiver

CVE-2018-1002200

Weakness Enumeration

Related Identifiers

Affected Products

References · 25