CVE-2017-1000472

MEDIUM

POCO C++ Libraries <1.8 - Path Traversal

Title source: llm
STIX 2.1

Description

The ZipCommon::isValidPath() function in Zip/src/ZipCommon.cpp in POCO C++ Libraries before 1.8 does not properly restrict the filename value in the ZIP header, which allows attackers to conduct absolute path traversal attacks during the ZIP decompression, and possibly create or overwrite arbitrary files, via a crafted ZIP file, related to a "file path injection vulnerability".

References (3)

Core 3
Core References
Exploit, Issue Tracking, Patch x_refsource_misc
https://github.com/pocoproject/poco/issues/1968
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4083
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/01/msg00013.html

Scores

CVSS v3 6.5
EPSS 0.0168
EPSS Percentile 74.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (3)
debian/debian_linux 8.0
debian/debian_linux 9.0
pocoproject/poco < 1.8
Published Jan 03, 2018
Tracked Since Feb 18, 2026