CVE-2018-1002200

Опубликовано: 05 июн. 2018

Источник: redhat

CVSS3: 7.3

Описание

plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

A path traversal vulnerability has been discovered in plexus-archiver when extracting a carefully crafted zip file which holds path traversal file names. A remote attacker could use this vulnerability to write files outside the target directory and overwrite existing files with malicious code or vulnerable configurations.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
JBoss Developer Studio 9	plexus-archiver	Not affected
Red Hat Enterprise Linux 8	plexus-archiver	Not affected
Red Hat Fuse 7	plexus-archiver	Not affected
Red Hat JBoss Fuse Integration Service 2	plexus-archiver	Not affected
Red Hat OpenStack Platform 9 (Mitaka)	opendaylight	Will not fix
Red Hat Enterprise Linux 7	plexus-archiver	Fixed	RHSA-2018:1836	12.06.2018
Red Hat Software Collections for Red Hat Enterprise Linux 6	rh-maven33-plexus-archiver	Fixed	RHSA-2018:1837	12.06.2018
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS	rh-maven33-plexus-archiver	Fixed	RHSA-2018:1837	12.06.2018
Red Hat Software Collections for Red Hat Enterprise Linux 7	rh-maven33-plexus-archiver	Fixed	RHSA-2018:1837	12.06.2018
Red Hat Software Collections for Red Hat Enterprise Linux 7	rh-maven35-plexus-archiver	Fixed	RHSA-2018:1837	12.06.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-22

https://bugzilla.redhat.com/show_bug.cgi?id=1584392plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file

7.3 High

CVSS3