CVE-2018-1002205
published 2018-07-25CVE-2018-1002205: DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip…
PriorityP339medium5.5CVSS 3.1
AVLACLPRNUIRSUCNIHAN
EPSS
12.16%
95.6th percentile
DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dotnetzip.semverd_project | dotnetzip.semverd | < 1.11.0 | 1.11.0 |
| dotnetzip | dotnetzip.semvered | >= unspecified < 1.11.0 | 1.11.0 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
DotNetZip Zip-Slip Vulnerability
osv·2018-10-16
CVE-2018-1002205 [MEDIUM] DotNetZip Zip-Slip Vulnerability
DotNetZip Zip-Slip Vulnerability
DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
GHSA
DotNetZip Zip-Slip Vulnerability
ghsa·2018-10-16
CVE-2018-1002205 [MEDIUM] CWE-22 DotNetZip Zip-Slip Vulnerability
DotNetZip Zip-Slip Vulnerability
DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
CISA ICS
Omron Engineering Software Zip-Slip
cisa_ics·2023-09-19·CVSS 5.5
[MEDIUM] Omron Engineering Software Zip-Slip
ICS Advisory
##
Omron Engineering Software Zip-Slip
Release DateSeptember 19, 2023
Alert CodeICSA-23-262-03
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 5.5
- ATTENTION: Low attack complexity
- Vendor: Omron
- Equipment: Sysmac Studio, NX-IO Configurator
- Vulnerability: Path Traversal
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to overwrite files on a system.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Omron engineering software are affected:
- Sysmac Studio: version 1.54 and prior
- NX-IO Configurator: version 1.22 and prior
## 3.2 Vulnerability Overview
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22
DotNetZip.Semvered before
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/haf/DotNetZip.Semverd/commit/55d2c13c0cc64654e18fcdd0038fdb3d7458e366https://github.com/haf/DotNetZip.Semverd/pull/121https://github.com/snyk/zip-slip-vulnerabilityhttps://snyk.io/research/zip-slip-vulnerabilityhttps://snyk.io/vuln/SNYK-DOTNET-DOTNETZIP-60245https://github.com/haf/DotNetZip.Semverd/commit/55d2c13c0cc64654e18fcdd0038fdb3d7458e366https://github.com/haf/DotNetZip.Semverd/pull/121https://github.com/snyk/zip-slip-vulnerabilityhttps://snyk.io/research/zip-slip-vulnerabilityhttps://snyk.io/vuln/SNYK-DOTNET-DOTNETZIP-60245
2018-07-25
Published