CVE-2018-1002209

low-risk

Published 2018-07-25

QuaZIP before 0.7.6 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Do I need to act?

0.86% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Quazip

Affected Vendors

Quazip Project

References (8)

Third Party Advisory https://github.com/snyk/zip-slip-vulnerability

Release Notes https://github.com/stachenov/quazip/blob/0.7.6/NEWS.txt

Patch https://github.com/stachenov/quazip/commit/5d2fc16a1976e5bf78d2927b012f67a2ae047...

Third Party Advisory https://snyk.io/research/zip-slip-vulnerability

Third Party Advisory https://github.com/snyk/zip-slip-vulnerability

Release Notes https://github.com/stachenov/quazip/blob/0.7.6/NEWS.txt

Patch https://github.com/stachenov/quazip/commit/5d2fc16a1976e5bf78d2927b012f67a2ae047...

Third Party Advisory https://snyk.io/research/zip-slip-vulnerability

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 3/34 · Minimal

Exposure 5/34 · Minimal