Vulnerability Details CVE-2015-0557
Open-source ARJ archiver 3.10.22 does not properly remove leading slashes from paths, which allows remote attackers to conduct absolute path traversal attacks and write to arbitrary files via multiple leading slashes in a path in an ARJ archive.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.021
EPSS Ranking 83.3%
CVSS Severity
CVSS v2 Score 5.8
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154518.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154605.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155011.html
- http://www.debian.org/security/2015/dsa-3213
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:201
- http://www.openwall.com/lists/oss-security/2015/01/03/5
- http://www.openwall.com/lists/oss-security/2015/01/05/9
- http://www.securityfocus.com/bid/71895
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774435
- https://security.gentoo.org/glsa/201612-15
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154518.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154605.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155011.html
- http://www.debian.org/security/2015/dsa-3213
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:201
- http://www.openwall.com/lists/oss-security/2015/01/03/5
- http://www.openwall.com/lists/oss-security/2015/01/05/9
- http://www.securityfocus.com/bid/71895
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774435
- https://security.gentoo.org/glsa/201612-15
Products affected by CVE-2015-0557
-
cpe:2.3:a:arj_software:arj_archiver:3.10.22
-
cpe:2.3:o:fedoraproject:fedora:20
-
cpe:2.3:o:fedoraproject:fedora:21
-
cpe:2.3:o:fedoraproject:fedora:22