CVE-2018-1002200

MEDIUM

Plexus-archiver <3.6.0 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-1002200. PoCs published by dawetmaster, andikahilmy, shoucheng3.

AI-analyzed exploit summary This repository contains the source code of the vulnerable version of Plexus Archiver (CVE-2018-1002200), which is a directory traversal vulnerability. The repository includes detailed release notes and source files but does not contain an exploit PoC or technical analysis of the vulnerability itself.

Description

plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Exploits (3)

nomisec WRITEUP
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-1002200-plexus-archiver-vulnerable

This repository contains the source code of the vulnerable version of Plexus Archiver (CVE-2018-1002200), which is a directory traversal vulnerability. The repository includes detailed release notes and source files but does not contain an exploit PoC or technical analysis of the vulnerability itself.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Plexus Archiver (versions prior to fix)
No auth needed
Prerequisites: Vulnerable version of Plexus Archiver
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-1002200-plexus-archiver-vulnerable

This repository contains the source code of the vulnerable version of Plexus Archiver (CVE-2018-1002200), including detailed release notes and technical documentation. It does not include an exploit PoC but provides the vulnerable codebase for analysis.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Plexus Archiver (versions prior to fix)
No auth needed
Prerequisites: Access to a system using vulnerable Plexus Archiver
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by shoucheng3 · poc
https://github.com/shoucheng3/codehaus-plexus__plexus-archiver_CVE-2018-1002200_3-5

This repository appears to be a partial or incomplete snapshot of the Plexus Archiver project, specifically targeting CVE-2018-1002200. The provided files are mostly source code from the project itself, lacking any exploit or proof-of-concept code.

Classification
Stub 90%
Attack Type
Other
Complexity
Complex
Reliability
Theoretical
Target: Plexus Archiver
No auth needed
Prerequisites: Access to vulnerable Plexus Archiver version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/research/zip-slip-vulnerability
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4227
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/snyk/zip-slip-vulnerability
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1837
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/codehaus-plexus/plexus-archiver/pull/87
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1836

Scores

CVSS v3 5.5
EPSS 0.0547
EPSS Percentile 90.4%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (7)
codehaus-plexus/plexus-archiver < 3.6.0
debian/debian_linux 8.0
debian/debian_linux 9.0
org.codehaus.plexus/plexus-archiver 0 - 3.6.0Maven
redhat/enterprise_linux 7.5
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_workstation 7.0
Published Jul 25, 2018
Tracked Since Feb 18, 2026