CVE-2018-1002207

mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393ef0829c3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Published: Jul 25, 2018
Updated: May 9, 2024
CVE: CVE-2018-1002207
GHSA: GHSA-5wmg-j84w-4jj4
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
archiver_project / archiver	-	2.0.x
github.com/mholt/archiver	-	2.1.0

https://github.com/mholt/archiver/commit/e4ef56d48eb029648b0e895bb0b6a393ef0829c3
https://github.com/mholt/archiver/pull/65
https://github.com/snyk/zip-slip-vulnerability
https://snyk.io/research/zip-slip-vulnerability
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARCHIVER-50071

Vulnerability Database

289,599

CVE-2018-1002207