CVE-2018-1002207Path Traversal in Archiver

CWE-22Path Traversal5 documents4 sources
Severity
5.5MEDIUMNVD
EPSS
2.6%
top 14.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Golang ArchiverGithub.com Mholt ArchiverArchiver Project Archiver
Timeline
PublishedJul 25
Latest updateAug 21

Description

mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393ef0829c3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5golang/archiverunspecifiede4ef56d48eb029648b0e895bb0b6a393ef0829c3
Gogithub.com/mholt_archiver< 2.1.0+incompatible+1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Arbitrary File Write via Archive Extraction in mholt/archiver in github.com/mholt/archiver2024-08-21
OSV
Arbitrary File Write via Archive Extraction in mholt/archiver2022-02-15
GHSA
Arbitrary File Write via Archive Extraction in mholt/archiver2022-02-15
CVEList
CVE-2018-1002207: mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393ef0829c3 is vulnerable to directory traversal, allowing attackers to write to arb2018-07-25
CVE-2018-1002207 — Path Traversal in Golang Archiver | cvebase