ALT-PU-2018-3683-1

Package update libquazip in branch sisyphus

Version0.7.6-alt1

Published2024-04-08

Max severityCRITICAL

Severity:

Closed issues (2)

CRITICAL9.6

Уязвимость функции extractDir компонента JICompress библиотеки QuaZIP, позволяющая нарушителю выполнить произвольный код

Published: 2018-08-03Modified: 2021-03-23

CVSS 3.xCRITICAL 9.6

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2018-1002209

CVE-2018-1002209

MEDIUM5.5

QuaZIP before 0.7.6 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Published: 2018-07-25Modified: 2024-11-21

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References