4.3
CVSSv2

CVE-2018-1002200

Published: 25/07/2018 Updated: 09/10/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

plexus-archiver prior to 3.6.0 is vulnerable to directory traversal, allowing malicious users to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

Vendor Advisories

Synopsis Important: plexus-archiver security update Type/Severity Security Advisory: Important Topic An update for plexus-archiver is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (C ...
Synopsis Important: rh-maven33-plexus-archiver and rh-maven35-plexus-archiver security update Type/Severity Security Advisory: Important Topic An update for rh-maven33-plexus-archiver and rh-maven35-plexus-archiver is now available for Red Hat Software CollectionsRed Hat Product Security has rated this upd ...
Debian Bug report logs - #900953 plexus-archiver: CVE-2018-1002200 Package: src:plexus-archiver; Maintainer for src:plexus-archiver is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 7 Jun 2018 09:27:02 UTC Severity: grave Tags: ...
Danny Grander discovered a directory traversal flaw in plexus-archiver, an Archiver plugin for the Plexus compiler system, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted Zip archive For the oldstable distribution (jessie), this problem has been fixed in version 12-1+deb8u1 For the stable distri ...
A path traversal vulnerability has been discovered in plexus-archiver when extracting a carefully crafted zip file which holds path traversal file names A remote attacker could use this vulnerability to write files outside the target directory and overwrite existing files with malicious code or vulnerable configurations ...
A path traversal vulnerability has been discovered in plexus-archiver when extracting a carefully crafted zip file which holds path traversal file names A remote attacker could use this vulnerability to write files outside the target directory and overwrite existing files with malicious code or vulnerable configurations(CVE-2018-1002200 ) ...
Summary Snyk Security team  discloses a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution The flaw which has been named Zip Slip affects numerous archive-extraction libraries and archive formats  More information is available at: githubcom/snyk/zip-slip-vulnerability Bro ...

Github Repositories

Zip Slip Vulnerability (Arbitrary file write through archive extraction)

Zip Slip Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote command execution It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pi