CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10743
https://notcve.org/view.php?id=CVE-2019-10743
All versions of archiver allow attacker to perform a Zip Slip attack via the "unarchive" functions. It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a "../../file.exe" location and thus break out of the target folder. • https://github.com/mholt/archiver/pull/169 https://snyk.io/research/zip-slip-vulnerability https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728 https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728%2C • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 4CVE-2018-1002207
https://notcve.org/view.php?id=CVE-2018-1002207
mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393ef0829c3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. El paquete mholt/archiver golang en versiones anteriores a la e4ef56d48eb029648b0e895bb0b6a393ef0829c3 es vulnerable a un salto de directorio, lo que permite que los atacantes escriban en archivos arbitrarios mediante un ../ (punto punto barra) en una entrada de archivo que se gestiona de manera incorrecta durante la extracción. Esta vulnerabilidad también se conoce como "Zip-Slip". • https://github.com/mholt/archiver/commit/e4ef56d48eb029648b0e895bb0b6a393ef0829c3 https://github.com/mholt/archiver/pull/65 https://github.com/snyk/zip-slip-vulnerability https://snyk.io/research/zip-slip-vulnerability https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARCHIVER-50071 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •