CVE-2019-14452
- Source
- https://cve.org/CVERecord?id=CVE-2019-14452
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14452.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-14452
- Downstream
- Related
- Published
- 2019-07-31T02:15:10.977Z
- Modified
- 2026-02-14T00:35:49.943970Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.
- References
-
- https://salvatoresecurity.com/zip-slip-in-sigil-cve-2019-14452/
- https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4
- https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f
- https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4
- https://github.com/Sigil-Ebook/Sigil/compare/ea7f27d...5b867e5
- https://github.com/Sigil-Ebook/Sigil/releases/tag/0.9.16
- https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505967936
- https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505997355
- https://usn.ubuntu.com/4085-1/
- https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4
- https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f
- https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4
Affected packages
Git / github.com/sigil-ebook/sigil
Affected ranges
- Type
- GIT
- Repo
- https://github.com/sigil-ebook/sigil
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.4.1
0.4.2
0.5.0
0.5.1
0.5.2
0.5.3
0.6.0
0.6.1
0.6.2
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.900
0.8.901
0.9.0
0.9.1
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14452.json"
vanir_signatures
[
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/sigil-ebook/sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f",
"digest": {
"function_hash": "182395217239051067566291634887819240475",
"length": 1854.0
},
"id": "CVE-2019-14452-187fcff0",
"deprecated": false,
"target": {
"file": "src/Misc/Utility.cpp",
"function": "Utility::UnZip"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/sigil-ebook/sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4",
"digest": {
"line_hashes": [
"31778958674837530317474274569413477196",
"293766748251520536127451115093031018929",
"186608153893597571221016396297903165953",
"51362202892592035626035691752460671402",
"16726271138158705511880064410444150119"
],
"threshold": 0.9
},
"id": "CVE-2019-14452-2f067d2f",
"deprecated": false,
"target": {
"file": "src/Importers/ImportEPUB.cpp"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/sigil-ebook/sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f",
"digest": {
"line_hashes": [
"208043562837169991166544622942838125766",
"326803285296918462666518107266371185255"
],
"threshold": 0.9
},
"id": "CVE-2019-14452-36998d3d",
"deprecated": false,
"target": {
"file": "src/sigil_exception.h"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/sigil-ebook/sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f",
"digest": {
"line_hashes": [
"130891689586634692963401675223951984388",
"102425373348876556544986942506246403476",
"246863910420444580698523536143003827497",
"122839018934126442639130559388211875848",
"220896107346917495667970250931919460495"
],
"threshold": 0.9
},
"id": "CVE-2019-14452-74de99f5",
"deprecated": false,
"target": {
"file": "src/Misc/Utility.cpp"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/sigil-ebook/sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4",
"digest": {
"function_hash": "159969796228099430892405562394044581018",
"length": 2637.0
},
"id": "CVE-2019-14452-8b14dd4a",
"deprecated": false,
"target": {
"file": "src/Importers/ImportEPUB.cpp",
"function": "ImportEPUB::ExtractContainer"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/sigil-ebook/sigil/commit/5b867e569f5bd3f471ae71f2e301624069712896",
"digest": {
"line_hashes": [
"91926295081885281339467081712180333814",
"185102269791397197616450499299782208388",
"222228852761138575611763980038136668554",
"290716185337369713183669438939510716289"
],
"threshold": 0.9
},
"id": "CVE-2019-14452-94aa0873",
"deprecated": false,
"target": {
"file": "src/BookManipulation/Book.cpp"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/sigil-ebook/sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4",
"digest": {
"line_hashes": [
"102425373348876556544986942506246403476",
"28814639375271858089318625073850188912",
"170048157033856145625459111568499724887",
"303191948746478850412054177509340011880"
],
"threshold": 0.9
},
"id": "CVE-2019-14452-b9e751b0",
"deprecated": false,
"target": {
"file": "src/Importers/ImportEPUB.cpp"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/sigil-ebook/sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4",
"digest": {
"function_hash": "82493519203815772685487879984072479769",
"length": 2563.0
},
"id": "CVE-2019-14452-f9f171b5",
"deprecated": false,
"target": {
"file": "src/Importers/ImportEPUB.cpp",
"function": "ImportEPUB::ExtractContainer"
}
}
]