Main Vulnerability Database SB2018072602

SB2018072602 - Amazon Linux AMI update for ant

Published: July 26, 2018

Security Bulletin ID SB2018072602

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper input validation (CVE-ID: CVE-2018-10886)

The vulnerability allows a remote attacker to create or overwrite arbitrary files on the target system.

The vulnerability exists due to the affected software allows archive files to be extracted outside of the target directory. A remote unauthenticated attacker can submit a specially crafted ZIP or TAR archive to an Ant build, trick the victim into extracting it, cause a file to be created outside the current working directory on the system and create or overwrite arbitrary files.

Remediation

Install update from vendor's website.

References

https://alas.aws.amazon.com/ALAS-2018-1047.html