CVSS: 5.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-10743
https://notcve.org/view.php?id=CVE-2019-10743
28 Oct 2019 — All versions of archiver allow attacker to perform a Zip Slip attack via the "unarchive" functions. It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a "../../file.exe" location and thus break out of the target folder. • https://github.com/mholt/archiver/pull/169 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 11%CPEs: 1EXPL: 4CVE-2018-1002207
https://notcve.org/view.php?id=CVE-2018-1002207
25 Jul 2018 — mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393ef0829c3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. El paquete mholt/archiver golang en versiones anteriores a la e4ef56d48eb029648b0e895bb0b6a393ef0829c3 es vulnerable a un salto de directorio, lo que permite que los atacantes escriban en archivos arbitrarios mediante... • https://github.com/mholt/archiver/commit/e4ef56d48eb029648b0e895bb0b6a393ef0829c3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •