CVE-2019-10743

Name of the Vulnerable Software and Affected Versions archiver versions all

Description The issue allows an attacker to perform a Zip Slip attack via the unarchive functions. This is exploited using a specially crafted zip archive that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, resulting in the final path ending up outside of the target folder. For example, a zip may hold a file with a "../../file.exe" location, thus breaking out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue.

Recommendations For archiver version all, consider disabling the unarchive functions until a patch is available to prevent exploitation. Restrict access to sensitive files and directories to minimize the risk of arbitrary code execution. Avoid using the unarchive functions with untrusted zip archives.