← Back to CVEs

CVE-2018-1261

MEDIUM

4.7

Description

Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary file write vulnerability, which can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z) that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

CVE Details

CVSS v3.1 Score4.7

SeverityMEDIUM

CVSS VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack VectorLOCAL

ComplexityHIGH

Privileges RequiredNONE

User InteractionREQUIRED

Published5/11/2018

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

vmware:spring_integration_zip

Weaknesses (CWE)

CWE-22

References

http://www.securityfocus.com/bid/104178(security_alert@emc.com)

https://pivotal.io/security/cve-2018-1261(security_alert@emc.com)

http://www.securityfocus.com/bid/104178(af854a3a-2127-422b-91ae-364da2661108)

https://pivotal.io/security/cve-2018-1261(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.