CVE-2018-10862

MEDIUM

Redhat Virtualization < 5.0.0 - Path Traversal

Title source: rule
STIX 2.1

Description

WildFly Core before version 6.0.0.Alpha3 does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files. This is an instance of the 'Zip Slip' vulnerability.

References (11)

Core 11
Core References
Third Party Advisory x_refsource_misc
https://snyk.io/research/zip-slip-vulnerability
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10862
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2428
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2643
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2279
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2424
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2276
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2423
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2425
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2277
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0877

Scores

CVSS v3 5.5
EPSS 0.0126
EPSS Percentile 66.0%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (5)
org.wildfly.core/wildfly-server 0 - 6.0.0.Alpha3Maven
redhat/jboss_enterprise_application_platform 7.1.0
redhat/virtualization 4.0
redhat/wildfly_core 6.0.0 alpha1 (2 CPE variants)
redhat/wildfly_core < 5.0.0
Published Jul 27, 2018
Tracked Since Feb 18, 2026