Main Vulnerability Database Vulnerabilities #VU46819

Untrusted search path in 7-Zip - CVE-2017-2107

Published: April 28, 2017 / Updated: September 18, 2020

Vulnerability identifier: #VU46819

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-2107

CWE-ID: CWE-426

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: 7-zip.org

Affected software:
7-Zip

Detailed vulnerability description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due untrused search path when loading dynamic libraries during archive extraction. A local user can place a malicious library on the system and trick the victim to open a an archive that will trigger malicious library loading.

How to mitigate CVE-2017-2107

Install updates from vendor's website.

Sources

http://akky.xrea.jp/security/7-zip4.txt
http://jvn.jp/en/jp/JVN86200862/index.html
http://www.securityfocus.com/bid/96431

Untrusted search path in 7-Zip - CVE-2017-2107

Detailed vulnerability description

How to mitigate CVE-2017-2107

Sources

Please verify you're human