CVE-2018-1002209

MEDIUM

QuaZIP <0.7.6 - Path Traversal

Title source: llm

Description

QuaZIP before 0.7.6 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

References (4)

Core 4

Core References

Third Party Advisory x_refsource_misc

https://snyk.io/research/zip-slip-vulnerability

Third Party Advisory x_refsource_misc

https://github.com/snyk/zip-slip-vulnerability

View Writeup ZIP pw:eip

Release Notes x_refsource_confirm

https://github.com/stachenov/quazip/blob/0.7.6/NEWS.txt

View Writeup ZIP pw:eip

Patch x_refsource_confirm

https://github.com/stachenov/quazip/commit/5d2fc16a1976e5bf78d2927b012f67a2ae047a98

Scores

CVSS v3 5.5

EPSS 0.0086

EPSS Percentile 75.1%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (1)

quazip_project/quazip < 0.7.6

Published Jul 25, 2018

Tracked Since Feb 18, 2026