[MAVEN:GHSA-87VG-5PGX-PGGH] spring-integration-zip Arbitrary File Write
Severity
Moderate
Affected Packages
1
Fixed Packages
1
CVEs
1
Addresses partial fix in CVE-2018-1261. Pivotal spring-integration-zip, versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
| Package | Affected Version |
|---|---|
 pkg:maven/org.springframework.integration/spring-integration-zip
|
< 1.0.2 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.springframework.integration/spring-integration-zip
|
= 1.0.2 |
- ID
- MAVEN:GHSA-87VG-5PGX-PGGH
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-87vg-5pgx-pggh
- Published
-
2022-05-13T01:07:04
(2 years ago) - Modified
-
2023-10-05T18:49:19
(11 months ago) - Rights
- Maven Security Team
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/org.springframework.integration/spring-integration-zip | org.springframework.integration |
spring-integration-zip
|
< 1.0.2 | |||
| Fixed | pkg:maven/org.springframework.integration/spring-integration-zip | org.springframework.integration |
spring-integration-zip
|
= 1.0.2 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |