CVE-2018-1002202

MEDIUM

zip4j <1.3.3 - Path Traversal

Title source: llm

Description

zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Exploits (2)

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/srikanth-lingala__zip4j_CVE-2018-1002202_1-3-2

View Code ZIP pw:eip

nomisec WRITEUP

by iris-sast · poc

https://github.com/iris-sast/zip4j

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://github.com/snyk/zip-slip-vulnerability

[Exploit, Issue Tracking, Patch, Third Party Advisory] https://snyk.io/research/zip-slip-vulnerability

[Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-NETLINGALAZIP4J-31679

[Third Party Advisory] https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03895en_us

Scores

CVSS v3 6.5

EPSS 0.0372

EPSS Percentile 88.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (2)

net.lingala.zip4j/zip4j 0 - 1.3.3Maven

zip4j_project/zip4j < 1.3.3

Published Jul 25, 2018

Tracked Since Feb 18, 2026