CVE-2019-10743

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-10743

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10743.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-10743

Aliases

GHSA-h74j-692g-48mq

Related

SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728
SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728,

Published

2019-10-29T19:15:16.610Z

Modified

2026-04-02T01:29:14.876917Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

All versions of archiver allow attacker to perform a Zip Slip attack via the "unarchive" functions. It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a "../../file.exe" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

References

Affected packages

Git / github.com/mholt/archiver

Affected ranges

Type

GIT

Repo

https://github.com/mholt/archiver

Events

Introduced

edeadbb1a3884e1a487283bcb73e823333fd1a10

Fixed

c7eae9dcbcb1f0a0ce965184868097babf73d415

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.3.2"
        }
    ]
}

Affected versions

v3.*

v3.0.0

v3.0.1

v3.1.0

v3.1.1

v3.2.0

v3.3.0

v3.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10743.json"