CVE-2018-1261

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2018-1261

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1261.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-1261

Aliases

GHSA-m9jm-rhrm-gcxj

Published

2018-05-11T20:29:00.400Z

Modified

2026-03-14T14:32:15.121848Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary file write vulnerability, which can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z) that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

References

Affected packages

Git / github.com/spring-projects/spring-integration-extensions

Affected ranges

Type

GIT

Repo

https://github.com/spring-projects/spring-integration-extensions

Events

Introduced

Fixed

e9eaca970b289a7602a2745caeb7f9946775cae2

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.1"
        }
    ]
}

Affected versions

cass.*

cass.v0.5.0.RELEASE

hz.*

hz.v1.0.0-M1

hz.v1.0.0.M2

hz.v1.0.0.RELEASE

kafka.*

kafka.v1.0.0.M1

kafka.v1.0.0.M2

kafka.v1.0.0a.M2

mqtt.*

mqtt.v1.0.0.M1

sidsl.*

sidsl.v1.0.0.M1

sidsl.v1.0.0.M2

sidsl.v1.0.0.M3

sidsl.v1.0.0.RC1

smb.*

smb.v0.5.0.RELEASE

smpp.*

smpp.v1.0.0.GA

smpp.v1.0.0.RELEASE

splunk.*

splunk.v1.0.0.M1-fix

zip.*

zip.v1.0.0.M1

zip.v1.0.0.RELEASE

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1261.json"