CVE-2015-0557

ARJ Archiver < 3.10.22 - Path Traversal and Arbitrary File Write via Leading Slashes

Title source: llm
STIX 2.1

Description

Open-source ARJ archiver 3.10.22 does not properly remove leading slashes from paths, which allows remote attackers to conduct absolute path traversal attacks and write to arbitrary files via multiple leading slashes in a path in an ARJ archive.

References (10)

Core 10
Core References
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2015:201
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154605.html
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/01/05/9
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201612-15
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/01/03/5
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155011.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3213
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154518.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/71895

Scores

EPSS 0.0337
EPSS Percentile 87.3%

Details

CWE
CWE-22
Status published
Products (4)
arj_software/arj_archiver < 3.10.22
fedoraproject/fedora 20
fedoraproject/fedora 21
fedoraproject/fedora 22
Published Apr 08, 2015
Tracked Since Feb 18, 2026