Vulnerability Details CVE-2019-13241
FlightCrew v0.9.2 and older are vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 75.0%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 6.8
References
- https://github.com/Sigil-Ebook/flightcrew/issues/52
- https://salvatoresecurity.com/fun-with-fuzzers-how-i-discovered-three-vulnerabilities-part-3-of-3/
- https://usn.ubuntu.com/4055-1/
- https://github.com/Sigil-Ebook/flightcrew/issues/52
- https://salvatoresecurity.com/fun-with-fuzzers-how-i-discovered-three-vulnerabilities-part-3-of-3/
- https://usn.ubuntu.com/4055-1/
Products affected by CVE-2019-13241
-
cpe:2.3:a:flightcrew_project:flightcrew:0.7.2
-
cpe:2.3:a:flightcrew_project:flightcrew:0.9.0
-
cpe:2.3:a:flightcrew_project:flightcrew:0.9.1
-
cpe:2.3:a:flightcrew_project:flightcrew:0.9.2
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.10
-
cpe:2.3:o:canonical:ubuntu_linux:19.04