CVE-2018-1263

Addresses partial fix in CVE-2018-1261. Pivotal spring-integration-zip, versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
References
Link Resource
http://www.securityfocus.com/bid/104179 Third Party Advisory VDB Entry
https://pivotal.io/security/cve-2018-1263 Vendor Advisory
http://www.securityfocus.com/bid/104179 Third Party Advisory VDB Entry
https://pivotal.io/security/cve-2018-1263 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:vmware:spring_integration_zip:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:59

Type Values Removed Values Added
References () http://www.securityfocus.com/bid/104179 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/104179 - Third Party Advisory, VDB Entry
References () https://pivotal.io/security/cve-2018-1263 - Vendor Advisory () https://pivotal.io/security/cve-2018-1263 - Vendor Advisory

12 Aug 2021, 21:31

Type Values Removed Values Added
CPE cpe:2.3:a:pivotal_software:spring_integration_zip:*:*:*:*:*:*:*:* cpe:2.3:a:vmware:spring_integration_zip:*:*:*:*:*:*:*:*

Information

Published : 2018-05-15 20:29

Updated : 2024-11-21 03:59


NVD link : CVE-2018-1263

Mitre link : CVE-2018-1263

CVE.ORG link : CVE-2018-1263


JSON object : View

Products Affected

vmware

  • spring_integration_zip
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')