CVE-2018-1002202 (Medium) detected in zip4j-1.3.2.jar #2
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2018-1002202 - Medium Severity Vulnerability
An open source java library to handle zip files
Library home page: http://www.lingala.net/zip4j/
Path to dependency file: CyberWorld/build.gradle
Path to vulnerable library: 152_YOPGFG/downloadResource_HGXZPV/20200920214212/zip4j-1.3.2.jar,20200920214152_YOPGFG/downloadResource_HGXZPV/20200920214212/zip4j-1.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: b9535363a088a5809fb5876244f5880e14505c9b
Found in base branch: master
zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Publish Date: 2018-07-25
URL: CVE-2018-1002202
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002202
Release Date: 2018-07-25
Fix Resolution: 1.3.3
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: