CVE-2018-1002202

Impact:
Important
Public Date:
2018-06-05
CWE:
CWE-20
Bugzilla:
1584409: CVE-2018-1002202 zip4j: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file

The MITRE CVE dictionary describes this issue as:

zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Find out more about CVE-2018-1002202 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 6.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact Low

Affected Packages State

Platform Package State
Red Hat JBoss Data Virtualization 6 zip4j Not affected

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.