Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW05am0tcmhybS1nY3hq
Path traversal in org.springframework.integration:spring-integration-zip
Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary file write vulnerability, which can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z) that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
Permalink: https://github.com/advisories/GHSA-m9jm-rhrm-gcxjJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW05am0tcmhybS1nY3hq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: about 1 month ago
CVSS Score: 4.7
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Identifiers: GHSA-m9jm-rhrm-gcxj, CVE-2018-1261
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1261
- https://github.com/advisories/GHSA-m9jm-rhrm-gcxj
- https://pivotal.io/security/cve-2018-1261
- http://www.securityfocus.com/bid/104178
- https://github.com/spring-projects/spring-integration-extensions/commit/a5573eb232ff85199ff9bb28993df715d9a19a25
Blast Radius: 4.2
Affected Packages
maven:org.springframework.integration:spring-integration-zip
Dependent packages: 3Dependent repositories: 8
Downloads:
Affected Version Ranges: < 1.0.1
Fixed in: 1.0.1
All affected versions:
All unaffected versions: 2.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4