CVE-2019-14452

HIGH

Sigil < 0.9.16 - Path Traversal and Arbitrary File Write via ZIP Archive Extraction

Title source: llm

Description

Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.

References (9)

Core 9

Core References

Third Party Advisory x_refsource_misc

https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505967936

Third Party Advisory x_refsource_misc

https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505997355

Patch, Third Party Advisory x_refsource_misc

https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4

View Patch ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4

View Patch ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f

View Patch ZIP pw:eip

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/Sigil-Ebook/Sigil/releases/tag/0.9.16

Third Party Advisory x_refsource_misc

https://github.com/Sigil-Ebook/Sigil/compare/ea7f27d...5b867e5

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4085-1/

Various Sources x_refsource_misc

https://salvatoresecurity.com/zip-slip-in-sigil-cve-2019-14452/

Scores

CVSS v3 7.5

EPSS 0.0299

EPSS Percentile 86.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (5)

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 19.04

flightcrew_project/flightcrew 0.9.2

sigil-ebook/sigil < 0.9.16

Published Jul 31, 2019

Tracked Since Feb 18, 2026