CVE-2018-1261 in Pivotal Software and VMware Products
Published on May 11, 2018
Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary file write vulnerability, which can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z) that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
Products Associated with CVE-2018-1261
stack.watch emails you whenever new vulnerabilities are published in Pivotal Software Spring Integration Zip or VMware Spring Integration Zip. Just hit a watch button to start following.
Affected Versions
Pivotal Spring Integration Zip Version 5.0.x prior to 5.0.6; 4.3.x prior to 4.3.17 is affected by CVE-2018-1261Exploit Probability
EPSS
0.35%
Percentile
57.09%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.