Vulnerability Details CVE-2018-1002205
DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 66.0%
CVSS Severity
CVSS v3 Score 5.5
CVSS v2 Score 4.3
References
- https://github.com/haf/DotNetZip.Semverd/commit/55d2c13c0cc64654e18fcdd0038fdb3d7458e366
- https://github.com/haf/DotNetZip.Semverd/pull/121
- https://github.com/snyk/zip-slip-vulnerability
- https://snyk.io/research/zip-slip-vulnerability
- https://snyk.io/vuln/SNYK-DOTNET-DOTNETZIP-60245
- https://github.com/haf/DotNetZip.Semverd/commit/55d2c13c0cc64654e18fcdd0038fdb3d7458e366
- https://github.com/haf/DotNetZip.Semverd/pull/121
- https://github.com/snyk/zip-slip-vulnerability
- https://snyk.io/research/zip-slip-vulnerability
- https://snyk.io/vuln/SNYK-DOTNET-DOTNETZIP-60245
Products affected by CVE-2018-1002205
-
cpe:2.3:a:dotnetzip.semverd_project:dotnetzip.semverd:1.10.0
-
cpe:2.3:a:dotnetzip.semverd_project:dotnetzip.semverd:1.10.1
-
cpe:2.3:a:dotnetzip.semverd_project:dotnetzip.semverd:1.9.2
-
cpe:2.3:a:dotnetzip.semverd_project:dotnetzip.semverd:1.9.3
-
cpe:2.3:a:dotnetzip.semverd_project:dotnetzip.semverd:1.9.4
-
cpe:2.3:a:dotnetzip.semverd_project:dotnetzip.semverd:1.9.6
-
cpe:2.3:a:dotnetzip.semverd_project:dotnetzip.semverd:1.9.7
-
cpe:2.3:a:dotnetzip.semverd_project:dotnetzip.semverd:1.9.9