CVE-2018-1263

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2018-1263

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1263.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-1263

Aliases

GHSA-87vg-5pgx-pggh

Published

2018-05-15T20:29:00.447Z

Modified

2026-03-14T09:27:26.806512Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Addresses partial fix in CVE-2018-1261. Pivotal spring-integration-zip, versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

References

Affected packages

Git / github.com/spring-projects/spring-integration-extensions

Affected ranges

Type

GIT

Repo

https://github.com/spring-projects/spring-integration-extensions

Events

Introduced

Fixed

f5c1295a6e8484dae3b5ef47e9cef4f54a96c986

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.2"
        }
    ]
}

Affected versions

cass.*

cass.v0.5.0.RELEASE

hz.*

hz.v1.0.0-M1

hz.v1.0.0.M2

hz.v1.0.0.RELEASE

kafka.*

kafka.v1.0.0.M1

kafka.v1.0.0.M2

kafka.v1.0.0a.M2

mqtt.*

mqtt.v1.0.0.M1

sidsl.*

sidsl.v1.0.0.M1

sidsl.v1.0.0.M2

sidsl.v1.0.0.M3

sidsl.v1.0.0.RC1

smb.*

smb.v0.5.0.RELEASE

smb.v1.0.0.RELEASE

smpp.*

smpp.v1.0.0.GA

smpp.v1.0.0.RELEASE

splunk.*

splunk.v1.0.0.M1-fix

zip.*

zip.v1.0.0.M1

zip.v1.0.0.RELEASE

zip.v1.0.1.RELEASE

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1263.json"