plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
References
| Link | Resource |
|---|---|
| https://access.redhat.com/errata/RHSA-2018:1836 | Third Party Advisory |
| https://access.redhat.com/errata/RHSA-2018:1837 | Third Party Advisory |
| https://github.com/codehaus-plexus/plexus-archiver/commit/f8f4233508193b70df33759ae9dc6154d69c2ea8 | Issue Tracking Patch Third Party Advisory |
| https://github.com/codehaus-plexus/plexus-archiver/pull/87 | Exploit Issue Tracking Patch Third Party Advisory |
| https://github.com/snyk/zip-slip-vulnerability | Exploit Issue Tracking Third Party Advisory |
| https://snyk.io/research/zip-slip-vulnerability | Exploit Third Party Advisory |
| https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680 | Exploit Third Party Advisory |
| https://www.debian.org/security/2018/dsa-4227 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
02 Aug 2023, 16:17
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:codehaus-plexus:plexus-archiver:*:*:*:*:*:*:*:* | |
| First Time |
Codehaus-plexus plexus-archiver
Codehaus-plexus |
Information
Published : 2018-07-25 17:29
Updated : 2023-12-10 12:44
NVD link : CVE-2018-1002200
Mitre link : CVE-2018-1002200
CVE.ORG link : CVE-2018-1002200
JSON object : View
Products Affected
redhat
- enterprise_linux
- enterprise_linux_desktop
- enterprise_linux_workstation
debian
- debian_linux
codehaus-plexus
- plexus-archiver
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')