CVE-2018-1261

Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary file write vulnerability, which can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z) that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
References
Link Resource
http://www.securityfocus.com/bid/104178 Third Party Advisory VDB Entry
https://pivotal.io/security/cve-2018-1261 Vendor Advisory
http://www.securityfocus.com/bid/104178 Third Party Advisory VDB Entry
https://pivotal.io/security/cve-2018-1261 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:vmware:spring_integration_zip:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:59

Type Values Removed Values Added
References () http://www.securityfocus.com/bid/104178 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/104178 - Third Party Advisory, VDB Entry
References () https://pivotal.io/security/cve-2018-1261 - Vendor Advisory () https://pivotal.io/security/cve-2018-1261 - Vendor Advisory

12 Aug 2021, 21:31

Type Values Removed Values Added
CPE cpe:2.3:a:pivotal_software:spring_integration_zip:*:*:*:*:*:*:*:* cpe:2.3:a:vmware:spring_integration_zip:*:*:*:*:*:*:*:*

Information

Published : 2018-05-11 20:29

Updated : 2024-11-21 03:59


NVD link : CVE-2018-1261

Mitre link : CVE-2018-1261

CVE.ORG link : CVE-2018-1261


JSON object : View

Products Affected

vmware

  • spring_integration_zip
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')