GHSA-w8r2-5j8x-x8j6

Suggest an improvement
Source
https://github.com/advisories/GHSA-w8r2-5j8x-x8j6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w8r2-5j8x-x8j6/GHSA-w8r2-5j8x-x8j6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w8r2-5j8x-x8j6
Aliases
Published
2022-05-14T01:06:25Z
Modified
2023-11-08T03:59:44.118308Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Improper Limitation of a Pathname to a Restricted Directory in WildFly
Details

WildFly Core before version 6.0.0.Alpha3 does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files. This is an instance of the 'Zip Slip' vulnerability.

Database specific 
{
    "nvd_published_at": "2018-07-27T14:29:00Z",
    "github_reviewed_at": "2022-06-29T23:30:02Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Maven / org.wildfly.core:wildfly-server

Package

Name
org.wildfly.core:wildfly-server
View open source insights on deps.dev
Purl
pkg:maven/org.wildfly.core/wildfly-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.0.Alpha3

Affected versions

1.*

1.0.0.Alpha1
1.0.0.Alpha2
1.0.0.Alpha3
1.0.0.Alpha4
1.0.0.Alpha5
1.0.0.Alpha6
1.0.0.Alpha7
1.0.0.Alpha8
1.0.0.Alpha9
1.0.0.Alpha10
1.0.0.Alpha11
1.0.0.Alpha12
1.0.0.Alpha13
1.0.0.Alpha14
1.0.0.Alpha15
1.0.0.Alpha16
1.0.0.Alpha17
1.0.0.Alpha18
1.0.0.Alpha19
1.0.0.Beta1
1.0.0.Beta2
1.0.0.Beta3
1.0.0.Beta4
1.0.0.Beta5
1.0.0.Beta6
1.0.0.CR1
1.0.0.CR2
1.0.0.CR3
1.0.0.CR4
1.0.0.CR5
1.0.0.CR6
1.0.0.CR7
1.0.0.Final
1.0.1.Final
1.0.2.Final

2.*

2.0.0.Alpha1
2.0.0.Alpha2
2.0.0.Alpha3
2.0.0.Alpha4
2.0.0.Alpha5
2.0.0.Alpha6
2.0.0.Alpha7
2.0.0.Alpha8
2.0.0.Alpha9
2.0.0.Alpha10
2.0.0.Alpha11
2.0.0.Alpha12
2.0.0.Alpha13
2.0.0.Beta1
2.0.0.Beta2
2.0.0.Beta3
2.0.0.Beta4
2.0.0.Beta5
2.0.0.Beta6
2.0.0.Beta7
2.0.0.CR1
2.0.0.CR2
2.0.0.CR3
2.0.0.CR4
2.0.0.CR5
2.0.0.CR6
2.0.0.CR7
2.0.0.CR8
2.0.0.CR9
2.0.0.Final
2.0.1.Final
2.0.2.Final
2.0.3.Final
2.0.4.Final
2.0.5.CR1
2.0.5.Final
2.0.6.Final
2.0.7.Final
2.0.8.Final
2.0.9.Final
2.0.10.Final
2.1.0.CR1
2.1.0.CR2
2.1.0.Final
2.2.0.CR1
2.2.0.CR2
2.2.0.CR3
2.2.0.CR4
2.2.0.CR5
2.2.0.CR6
2.2.0.CR7
2.2.0.CR8
2.2.0.CR9
2.2.0.Final
2.2.1.CR1
2.2.1.CR2
2.2.1.Final

3.*

3.0.0.Alpha1
3.0.0.Alpha2
3.0.0.Alpha3
3.0.0.Alpha4
3.0.0.Alpha5
3.0.0.Alpha6
3.0.0.Alpha7
3.0.0.Alpha8
3.0.0.Alpha9
3.0.0.Alpha10
3.0.0.Alpha11
3.0.0.Alpha12
3.0.0.Alpha13
3.0.0.Alpha14
3.0.0.Alpha15
3.0.0.Alpha16
3.0.0.Alpha17
3.0.0.Alpha18
3.0.0.Alpha19
3.0.0.Alpha20
3.0.0.Alpha21
3.0.0.Alpha22
3.0.0.Alpha23
3.0.0.Alpha24
3.0.0.Alpha25
3.0.0.Beta1
3.0.0.Beta2
3.0.0.Beta3
3.0.0.Beta5
3.0.0.Beta6
3.0.0.Beta7
3.0.0.Beta8
3.0.0.Beta9
3.0.0.Beta10
3.0.0.Beta11
3.0.0.Beta12
3.0.0.Beta13
3.0.0.Beta14
3.0.0.Beta15
3.0.0.Beta16
3.0.0.Beta17
3.0.0.Beta18
3.0.0.Beta19
3.0.0.Beta20
3.0.0.Beta21
3.0.0.Beta22
3.0.0.Beta23
3.0.0.Beta24
3.0.0.Beta25
3.0.0.Beta26
3.0.0.Beta27
3.0.0.Beta28
3.0.0.Beta29
3.0.0.Beta30
3.0.0.Beta31
3.0.0.CR1
3.0.0.Final
3.0.1.Final
3.0.2.CR1
3.0.2.Final
3.0.3.Final
3.0.4.Final
3.0.5.Final
3.0.6.Final
3.0.7.Final
3.0.8.Final
3.0.9.Final
3.0.10.Final
3.1.0.Final

4.*

4.0.0.Alpha1
4.0.0.Alpha2
4.0.0.Alpha3
4.0.0.Alpha4
4.0.0.Alpha5
4.0.0.Alpha6
4.0.0.Alpha7
4.0.0.Alpha8
4.0.0.Alpha9
4.0.0.Alpha10
4.0.0.Beta1
4.0.0.Beta2
4.0.0.CR1
4.0.0.Final

5.*

5.0.0.Alpha1
5.0.0.Alpha2
5.0.0.Alpha3
5.0.0.Alpha4
5.0.0.Alpha5
5.0.0.Alpha6
5.0.0.Alpha7
5.0.0.Beta1
5.0.0.Beta2
5.0.0.Beta3
5.0.0.Beta4
5.0.0.Beta5
5.0.0.CR1
5.0.0.Final

6.*

6.0.0.Alpha1
6.0.0.Alpha2

Database specific 

{
    "last_known_affected_version_range": "<= 6.0.0.Alpha2"
}