CVE-2018-1002204

Impact:
Moderate
Public Date:
2015-01-08
CWE:
CWE-20
Bugzilla:
1584400: CVE-2018-1002204 nodejs-adm-zip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file

The MITRE CVE dictionary describes this issue as:

adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Find out more about CVE-2018-1002204 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

While Red Hat Mobile Application Platform (RHMAP) does include the vulnerable library, it does not use the vulnerable methods extract* fixed in the library, [1]. RHMAP upgrade the vulnerable library in a future version.

[1] https://github.com/cthackers/adm-zip/commit/6f4dfeb9a2166e93207443879988f97d88a37cde

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 5.3
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact High
Availability Impact Low

Affected Packages State

Platform Package State
Red Hat Mobile Application Platform On-Premise 4 nodejs-adm-zip Will not fix

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.