Lucene search

GoogleOSV:CVE-2018-1002207

HistoryJul 25, 2018 - 5:29 p.m.

CVE-2018-1002207

2018-07-2517:29:02

Google

osv.dev

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.4%

JSON

mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393ef0829c3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a …/ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as ‘Zip-Slip’.

CPENameOperatorVersion
archivereq1.2
archivereq2.0.0
archivereq1.1.2
archivereq1.1.1
archivereq1.1
archivereq1.0
archivereq2.0

Name	Operator	Version
archiver	eq	1.2
archiver	eq	2.0.0
archiver	eq	1.1.2
archiver	eq	1.1.1
archiver	eq	1.1
archiver	eq	1.0
archiver	eq	2.0

References

github.com/mholt/archiver/commit/e4ef56d48eb029648b0e895bb0b6a393ef0829c3

github.com/mholt/archiver/pull/65

github.com/snyk/zip-slip-vulnerability

snyk.io/research/zip-slip-vulnerability

snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARCHIVER-50071