CVE-2018-1002201
- Source
- https://cve.org/CVERecord?id=CVE-2018-1002201
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1002201.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-1002201
- Aliases
- Related
- Published
- 2018-07-25T17:29:00.500Z
- Modified
- 2026-04-11T03:11:53.918508Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
zt-zip before 1.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
- References
-
- https://github.com/zeroturnaround/zt-zip/blob/zt-zip-1.13/Changelog.txt
- https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff
- https://snyk.io/research/zip-slip-vulnerability
- https://snyk.io/vuln/SNYK-JAVA-ORGZEROTURNAROUND-31681
- https://github.com/snyk/zip-slip-vulnerability
Affected packages
Git / github.com/zeroturnaround/zt-zip
Affected versions
zt-zip-1.*
zt-zip-1.1
zt-zip-1.10
zt-zip-1.11
zt-zip-1.12
zt-zip-1.2
zt-zip-1.3
zt-zip-1.4
zt-zip-1.5
zt-zip-1.6
zt-zip-1.7
zt-zip-1.8
zt-zip-1.9
Database specific
vanir_signatures_modified
"2026-04-11T03:11:53Z"
vanir_signatures
[
{
"id": "CVE-2018-1002201-22c34fac",
"target": {
"file": "src/main/java/org/zeroturnaround/zip/ZipUtil.java",
"function": "process"
},
"deprecated": false,
"digest": {
"function_hash": "279750403654855414608833557685175274410",
"length": 731.0
},
"signature_type": "Function",
"source": "https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff",
"signature_version": "v1"
},
{
"id": "CVE-2018-1002201-9dc389e7",
"target": {
"file": "src/main/java/org/zeroturnaround/zip/ZipUtil.java",
"function": "process"
},
"deprecated": false,
"digest": {
"function_hash": "198455943215700953213808939616267215482",
"length": 624.0
},
"signature_type": "Function",
"source": "https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff",
"signature_version": "v1"
},
{
"id": "CVE-2018-1002201-d82e4601",
"target": {
"file": "src/main/java/org/zeroturnaround/zip/ZipUtil.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"310601281774499144755135626491352513510",
"274360009946576874522182633462003745653",
"73907614146411361057697097564316388116",
"251291736049655420166330684889846297678",
"220410006497838349652649523892244530990",
"31749547053909711789217358615698290078",
"100437989808543317718932101059407095646",
"162595804253701327466380441767224941935",
"111021639111426693295759285248971701321",
"124685360062642808386369791959263542763",
"144328565222130707453886345860151779529",
"119303119309932656875971493311413567506",
"41540335934033229366450312583384951076",
"104845014972195126914457114245168811422",
"73907614146411361057697097564316388116",
"251291736049655420166330684889846297678"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff",
"signature_version": "v1"
},
{
"id": "CVE-2018-1002201-e8dac007",
"target": {
"file": "src/main/java/org/zeroturnaround/zip/ZipUtil.java",
"function": "process"
},
"deprecated": false,
"digest": {
"function_hash": "86450819048780533944105473355824873319",
"length": 604.0
},
"signature_type": "Function",
"source": "https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff",
"signature_version": "v1"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1002201.json"