CVE-2018-1002200

NONE EPSS 95.9%
Published Jul 25, 20187y ago · Modified Jun 17, 20262w ago
Find Similar
Published Jul 25, 2018 7y ago
Last Modified Jun 17, 2026 2w ago

Description

plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Threat Intelligence

EPSS Exploit Probability
95.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 6

VendorProductVersionRange
codehaus-plexusplexus-archiver* <3.6.0
debiandebian_linux8.0any
debiandebian_linux9.0any
redhatenterprise_linux7.5any
redhatenterprise_linux_desktop7.0any
redhatenterprise_linux_workstation7.0any

References 8

  • access.redhat.com https://access.redhat.com/errata/RHSA-2018:1836
    Third Party Advisory
  • access.redhat.com https://access.redhat.com/errata/RHSA-2018:1837
    Third Party Advisory
  • github.com https://github.com/codehaus-plexus/plexus-archiver/commit/f8f4233508193b70df33759ae9dc6154d69c2ea8
    Issue TrackingPatchThird Party Advisory
  • github.com https://github.com/codehaus-plexus/plexus-archiver/pull/87
    ExploitIssue TrackingPatchThird Party Advisory
  • github.com https://github.com/snyk/zip-slip-vulnerability
    ExploitIssue TrackingThird Party Advisory
  • snyk.io https://snyk.io/research/zip-slip-vulnerability
    ExploitThird Party Advisory
  • snyk.io https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
    ExploitThird Party Advisory
  • debian.org https://www.debian.org/security/2018/dsa-4227
    Third Party Advisory

Remediation

  • github.com https://github.com/codehaus-plexus/plexus-archiver/commit/f8f4233508193b70df33759ae9dc6154d69c2ea8
    Issue TrackingPatchThird Party Advisory
  • github.com https://github.com/codehaus-plexus/plexus-archiver/pull/87
    ExploitIssue TrackingPatchThird Party Advisory