CVE-2018-1002200
NONE EPSS 95.9%
Published Jul 25, 20187y ago · Modified Jun 17, 20262w ago
Published Jul 25, 2018 7y ago
Last Modified Jun 17, 2026 2w ago
Description
plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Threat Intelligence
EPSS Exploit Probability
95.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-22 Path Traversal Resource Mgmt
Affected Products 6
References 8
- access.redhat.com https://access.redhat.com/errata/RHSA-2018:1836
- access.redhat.com https://access.redhat.com/errata/RHSA-2018:1837
- github.com https://github.com/codehaus-plexus/plexus-archiver/commit/f8f4233508193b70df33759ae9dc6154d69c2ea8
- github.com https://github.com/codehaus-plexus/plexus-archiver/pull/87
- github.com https://github.com/snyk/zip-slip-vulnerability
- snyk.io https://snyk.io/research/zip-slip-vulnerability
- snyk.io https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
- debian.org https://www.debian.org/security/2018/dsa-4227
Remediation
- github.com https://github.com/codehaus-plexus/plexus-archiver/commit/f8f4233508193b70df33759ae9dc6154d69c2ea8
- github.com https://github.com/codehaus-plexus/plexus-archiver/pull/87