CVE-2018-1002201 — Improper Limitation of a Pathname to a Restricted Directory in zt-zip

Description

zt-zip before 1.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

How to fix CVE-2018-1002201

To remediate CVE-2018-1002201, upgrade the affected package to a fixed version below.

—upgrade to 1.13 or later

Is CVE-2018-1002201 being exploited?

Moderate — EPSS is 10.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 1.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1002201
WEBgithub.com/snyk/zip-slip-vulnerability
WEBgithub.com/zeroturnaround/zt-zip/blob/zt-zip-1.13/Changelog.txt
WEBgithub.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff