Main Vulnerability Database Vulnerabilities #VU14135

Path traversal in adm-zip - CVE-2018-1002204

Published: July 30, 2018 / Updated: July 31, 2018

Vulnerability identifier: #VU14135

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2018-1002204

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: The Brain

Affected software:
adm-zip

Detailed vulnerability description

The vulnerability allows a remote attacker to conduct a directory traversal attack on the target system.

The vulnerability exists in the extractDir() function of QuaZIP due to improper validation of files inside an archive file. A remote unauthenticated attacker can trick the victim into extracting an archive file that contains a file using directory traversal characters, and cause the service to crash or execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is also known as 'Zip-Slip'.

How to mitigate CVE-2018-1002204

Update to version 0.4.9.

Sources

https://github.com/cthackers/adm-zip/pull/212/commits/6f4dfeb9a2166e93207443879988f97d88a37cde

Path traversal in adm-zip - CVE-2018-1002204

Detailed vulnerability description

How to mitigate CVE-2018-1002204

Sources

Please verify you're human