Candidate: CVE-2018-1002200
PublicDate: 2018-07-25 17:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002200
 https://github.com/codehaus-plexus/plexus-archiver/pull/87
Description:
 plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing
 attackers to write to arbitrary files via a ../ (dot dot slash) in an
 archive entry that is mishandled during extraction. This vulnerability is
 also known as 'Zip-Slip'.
Ubuntu-Description:
 It was discovered that plexus-archiver incorectly handled directory
 traversal during extraction. An attacker could possibly use this for a
 Zip-Slip attack.
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900953
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N [5.5 MEDIUM]


Patches_plexus-archiver:
 other: https://github.com/codehaus-plexus/plexus-archiver/commit/58bc24e465c0842981692adbf6d75680298989de
upstream_plexus-archiver: released (1.2-1+deb8u1, 2.2-1+deb9u1, 3.6.0-1)
precise/esm_plexus-archiver: DNE
trusty_plexus-archiver: released (1.2-1+deb8u1build14.04.1)
trusty/esm_plexus-archiver: released (1.2-1+deb8u1build14.04.1)
xenial_plexus-archiver: released (2.2-1+deb9u1build16.04.1)
artful_plexus-archiver: ignored (reached end-of-life)
bionic_plexus-archiver: needed
cosmic_plexus-archiver: not-affected (3.6.0-2)
disco_plexus-archiver: not-affected (3.6.0-2)
eoan_plexus-archiver: not-affected (3.6.0-2)
focal_plexus-archiver: not-affected (3.6.0-2)
groovy_plexus-archiver: not-affected (3.6.0-2)
hirsute_plexus-archiver: not-affected (3.6.0-2)
impish_plexus-archiver: not-affected (3.6.0-2)
jammy_plexus-archiver: not-affected (3.6.0-2)
devel_plexus-archiver: not-affected (3.6.0-2)