Jump to:

CVE-2017-1000472

Jump to:

CVE-2017-1000472

Package poco updated to version 1.8.0.1-alt1 for branch sisyphus in task 194313.

Published: 2018-01-03
Modified: 2024-11-21

CVE-2017-1000472

The ZipCommon::isValidPath() function in Zip/src/ZipCommon.cpp in POCO C++ Libraries before 1.8 does not properly restrict the filename value in the ZIP header, which allows attackers to conduct absolute path traversal attacks during the ZIP decompression, and possibly create or overwrite arbitrary files, via a crafted ZIP file, related to a "file path injection vulnerability".

Severity: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References:

https://github.com/pocoproject/poco/issues/1968
https://github.com/pocoproject/poco/issues/1968
[debian-lts-announce] 20180110 [SECURITY] [DLA 1239-1] poco security update
[debian-lts-announce] 20180110 [SECURITY] [DLA 1239-1] poco security update
DSA-4083
DSA-4083

Version: 2.1.0

Package poco update in sisyphus on 2024-04-05

ALT-PU-2017-3590-1

Closed vulnerabilities

CVE-2017-1000472