5.5
CVSSv3

CVE-2018-1002200

Published: 25/07/2018 Updated: 09/10/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

plexus-archiver prior to 3.6.0 is vulnerable to directory traversal, allowing malicious users to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

plexus-archiver project plexus-archiver

redhat enterprise linux desktop 7.0

redhat enterprise linux workstation 7.0

redhat enterprise linux 7.5

debian debian linux 8.0

debian debian linux 9.0

Vendor Advisories

Synopsis Important: plexus-archiver security update Type/Severity Security Advisory: Important Topic An update for plexus-archiver is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (C ...
Synopsis Important: rh-maven33-plexus-archiver and rh-maven35-plexus-archiver security update Type/Severity Security Advisory: Important Topic An update for rh-maven33-plexus-archiver and rh-maven35-plexus-archiver is now available for Red Hat Software CollectionsRed Hat Product Security has rated this upd ...
Debian Bug report logs - #900953 plexus-archiver: CVE-2018-1002200 Package: src:plexus-archiver; Maintainer for src:plexus-archiver is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 7 Jun 2018 09:27:02 UTC Severity: grave Tags: ...
Danny Grander discovered a directory traversal flaw in plexus-archiver, an Archiver plugin for the Plexus compiler system, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted Zip archive For the oldstable distribution (jessie), this problem has been fixed in version 12-1+deb8u1 For the stable distri ...
A path traversal vulnerability has been discovered in plexus-archiver when extracting a carefully crafted zip file which holds path traversal file names A remote attacker could use this vulnerability to write files outside the target directory and overwrite existing files with malicious code or vulnerable configurations ...
A path traversal vulnerability has been discovered in plexus-archiver when extracting a carefully crafted zip file which holds path traversal file names A remote attacker could use this vulnerability to write files outside the target directory and overwrite existing files with malicious code or vulnerable configurations(CVE-2018-1002200) ...

Github Repositories

Zip Slip Vulnerability (Arbitrary file write through archive extraction)

Zip Slip Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote command execution It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pi