CVE-2018-1002204
Arbitrary File Write vulnerability in adm-zip (npm)
What is CVE-2018-1002204 About?
This vulnerability is an arbitrary file write flaw in `adm-zip` versions before 0.4.9. It allows an attacker to write files to arbitrary locations on the file system by providing a specially crafted archive containing path traversal filenames. This can lead to system compromise, data corruption, or denial of service. Exploitation is relatively easy with a malicious ZIP file.
Affected Software
Technical Details
The adm-zip library, in versions prior to 0.4.9, fails to properly sanitize filenames during archive extraction. An attacker can create a malicious ZIP archive where filenames within the archive use path traversal sequences, such as ../../file.txt. When an application using adm-zip extracts this archive, the library does not correctly resolve or restrict these paths. Consequently, the extracted files are written outside the intended extraction directory, potentially overwriting critical system files, configuration files, or executable binaries, leading to arbitrary file write. This can result in complete system compromise or denial of service.
What is the Impact of CVE-2018-1002204?
Successful exploitation may allow attackers to write arbitrary files to the file system, leading to system compromise, data corruption, or denial of service.
What is the Exploitability of CVE-2018-1002204?
Exploitation involves creating a specially crafted ZIP archive with path traversal elements in its filenames and tricking an application to extract it using a vulnerable version of adm-zip. The complexity is low, as tools exist to create such archives. Authentication requirements depend on whether the application processes untrusted ZIP files from unauthenticated sources. No specific privileges are needed beyond the ability to supply the malicious archive to the application. This can be either a remote vulnerability (e.g., via uploaded files) or local (e.g., processing local untrusted archives). The risk of exploitation is high for applications that accept and extract user-supplied ZIP files without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-1002204?
Available Upgrade Options
- adm-zip
- <0.4.11 → Upgrade to 0.4.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/advisories/994
- https://nvd.nist.gov/vuln/detail/CVE-2018-1002204
- https://hackerone.com/reports/362118
- https://github.com/snyk/zip-slip-vulnerability
- https://github.com/cthackers/adm-zip/commit/62f64004fefb894c523a7143e8a88ebe6c84df25
- https://snyk.io/vuln/npm:adm-zip:20180415
- https://osv.dev/vulnerability/GHSA-3v6h-hqm4-2rg6
- https://github.com/advisories/GHSA-3v6h-hqm4-2rg6
- https://github.com/cthackers/adm-zip/pull/212
- http://www.securityfocus.com/bid/107001
What are Similar Vulnerabilities to CVE-2018-1002204?
Similar Vulnerabilities: CVE-2001-0949 , CVE-2005-0372 , CVE-2008-0975 , CVE-2014-9988 , CVE-2021-39234
