Multiple vulnerabilities in Info-ZIP UnZip



Published: 2018-02-10 | Updated: 2020-08-08
Risk High
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2018-1000031
CVE-2018-1000032
CVE-2018-1000033
CVE-2018-1000034
CWE-ID CWE-119
CWE-125
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
UnZip
Client/Desktop applications / Software for archiving

Vendor Info-ZIP

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU37549

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-1000031

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

UnZip: 6.10c22


CPE2.3 External links

http://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Buffer overflow

EUVDB-ID: #VU37550

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-1000032

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service or to possibly achieve code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

UnZip: 6.10c22


CPE2.3 External links

http://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Out-of-bounds read

EUVDB-ID: #VU37551

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-1000033

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.

Mitigation

Install update from vendor's website.

Vulnerable software versions

UnZip: 6.10c22


CPE2.3 External links

http://www.securityfocus.com/bid/103031
http://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Out-of-bounds read

EUVDB-ID: #VU37552

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-1000034

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that allows an attacker to perform a denial of service and read sensitive memory.

Mitigation

Install update from vendor's website.

Vulnerable software versions

UnZip: 6.10c22


CPE2.3 External links

http://www.securityfocus.com/bid/103111
http://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###