CVE-2018-1002207: Path Traversal

July 25, 2018 (updated October 9, 2019)

mholt/archiver golang package before is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as ‘Zip-Slip’.

References

github.com/mholt/archiver/commit/e4ef56d48eb029648b0e895bb0b6a393ef0829c3
github.com/mholt/archiver/pull/65
nvd.nist.gov/vuln/detail/CVE-2018-1002207

Detect and mitigate CVE-2018-1002207 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →