Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTV3bWctajg0dy00amo0

Moderate EPSS: 0.02615% (0.85089 Percentile) EPSS:
Permalink JSON

Arbitrary File Write via Archive Extraction in mholt/archiver

Affected Packages Affected Versions Fixed Versions
go:github.com/mholt/archiver
PURL: pkg:go/github.com%2Fmholt%2Farchiver
< 2.1.0 2.1.0
1,185 Dependent packages
1,724 Dependent repositories

Affected Version Ranges

All affected versions

v1.1.1, v1.1.2, v2.0.0+incompatible

All unaffected versions

v2.1.0+incompatible, v3.0.0+incompatible, v3.0.1+incompatible, v3.1.0+incompatible, v3.1.1+incompatible

mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393ef0829c3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

References:

Identifiers

GHSA-5wmg-j84w-4jj4

CVE-2018-1002207

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.02615

EPSS Percentile: 0.85089

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/mholt/archiver

Date and time

Published

over 3 years ago

Updated

almost 3 years ago

API

JSON