CVE-2018-1002204

MEDIUM

adm-zip <0.4.9 - Path Traversal

Title source: llm

Description

adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

References (6)

Core 6

Core References

Exploit, Third Party Advisory x_refsource_misc

https://snyk.io/research/zip-slip-vulnerability

Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_confirm

https://github.com/cthackers/adm-zip/pull/212

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/107001

Issue Tracking, Patch, Third Party Advisory x_refsource_confirm

https://github.com/cthackers/adm-zip/commit/62f64004fefb894c523a7143e8a88ebe6c84df25

View Patch ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://github.com/snyk/zip-slip-vulnerability

View Exploit ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/npm:adm-zip:20180415

Scores

CVSS v3 5.5

EPSS 0.1758

EPSS Percentile 95.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (2)

adm-zip_project/adm-zip < 0.4.9

npm/adm-zip 0 - 0.4.11npm

Published Jul 25, 2018

Tracked Since Feb 18, 2026