Directory Traversal Vulnerability in adm-zip Library by npm
CVE-2018-1002204

5.5MEDIUM

Key Information:

Vendor

Node.js

Status
Adm-zip
Vendor
CVE Published:
25 July 2018

What is CVE-2018-1002204?

The adm-zip library before version 0.4.9 is susceptible to a directory traversal vulnerability, commonly referred to as 'Zip-Slip'. This flaw enables attackers to manipulate zip archive entries, allowing them to write to arbitrary files on the file system when the archive is extracted. Proper validation is crucial to prevent malicious files from being accessed or executed. This vulnerability emphasizes the importance of securing library dependencies and maintaining updated software versions.

Affected Version(s)

adm-zip < 0.4.9

References

https://snyk.io/research/zip-slip-vulnerability
x_refsource_MISC
https://github.com/cthackers/adm-zip/pull/212
x_refsource_CONFIRM
http://www.securityfocus.com/bid/107001
vdb-entryx_refsource_BID

EPSS Score

17% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.