Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTV3bWctajg0dy00amo0
Arbitrary File Write via Archive Extraction in mholt/archiver
mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393ef0829c3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Permalink: https://github.com/advisories/GHSA-5wmg-j84w-4jj4JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTV3bWctajg0dy00amo0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 5.5
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Identifiers: GHSA-5wmg-j84w-4jj4, CVE-2018-1002207
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1002207
- https://github.com/mholt/archiver/pull/65
- https://github.com/mholt/archiver/commit/e4ef56d48eb029648b0e895bb0b6a393ef0829c3
- https://github.com/snyk/zip-slip-vulnerability
- https://snyk.io/research/zip-slip-vulnerability
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARCHIVER-50071
- https://github.com/advisories/GHSA-5wmg-j84w-4jj4
Blast Radius: 17.8
Affected Packages
go:github.com/mholt/archiver
Dependent packages: 1,185Dependent repositories: 1,724
Downloads:
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 1.1.1, 1.1.2, 2.0.0
All unaffected versions: 2.1.0, 3.0.0, 3.0.1, 3.1.0, 3.1.1