CVE-2018-1002205
Directory traversal vulnerability in DotNetZip (NuGet)
What is CVE-2018-1002205 About?
DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, also known as 'Zip-Slip', allowing attackers to write arbitrary files outside the intended extraction path. This occurs when malformed Zip archive entries containing '../' sequences are mishandled during extraction. Exploitation is typically easy and involves supplying a specially crafted archive.
Affected Software
Technical Details
The vulnerability in DotNetZip.Semvered before 1.11.0 is a classic directory traversal, or 'Zip-Slip', issue. When extracting entries from a Zip archive, the library fails to properly sanitize or validate the file paths contained within the archive. An attacker can craft a Zip entry with a path like ../../../../path/to/arbitrary/file.txt. During the extraction process, instead of extracting the file within the intended destination directory, the ../ sequences allow the path to resolve to a location outside of this directory. This enables an attacker to write arbitrary files to any location on the file system that the application has write permissions to, potentially leading to arbitrary code execution, configuration file modification, or data corruption.
What is the Impact of CVE-2018-1002205?
Successful exploitation may allow attackers to write arbitrary files to sensitive locations on the file system, potentially leading to arbitrary code execution, denial of service, or data compromise.
What is the Exploitability of CVE-2018-1002205?
Exploiting this directory traversal (Zip-Slip) vulnerability requires an attacker to provide a specially crafted Zip archive containing malicious file paths. The attack can be local if the application processes untrusted archives from local storage, or remote if the application processes untrusted archives downloaded from external sources. No authentication or special privileges are needed to trigger the vulnerability once the malicious archive is being processed. The prerequisite is that the application uses DotNetZip.Semvered to extract Zip archives. There are no notable special conditions or constraints other than the requirement for an unsanitized extraction process. Risk factors include applications that accept and extract untrusted archives, especially from endpoints that handle user-supplied content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-1002205?
Available Upgrade Options
- DotNetZip
- <1.11.0 → Upgrade to 1.11.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-7378-6268-4278
- https://github.com/haf/DotNetZip.Semverd/commit/55d2c13c0cc64654e18fcdd0038fdb3d7458e366
- https://github.com/snyk/zip-slip-vulnerability
- https://snyk.io/vuln/SNYK-DOTNET-DOTNETZIP-60245
- https://snyk.io/research/zip-slip-vulnerability
- https://github.com/haf/DotNetZip.Semverd/pull/121
- https://github.com/haf/DotNetZip.Semverd/commit/55d2c13c0cc64654e18fcdd0038fdb3d7458e366
- https://github.com/snyk/zip-slip-vulnerability
- https://github.com/advisories/GHSA-7378-6268-4278
- https://nvd.nist.gov/vuln/detail/CVE-2018-1002205
What are Similar Vulnerabilities to CVE-2018-1002205?
Similar Vulnerabilities: CVE-2021-39208 , CVE-2020-28267 , CVE-2018-12020 , CVE-2018-1000622 , CVE-2018-1000621
