The ZipCommon::isValidPath() function in Zip/src/ZipCommon.cpp in POCO C++ Libraries before 1.8 does not properly restrict the filename value in the ZIP header, which allows attackers to conduct absolute path traversal attacks during the ZIP decompression, and possibly create or overwrite arbitrary files, via a crafted ZIP file, related to a "file path injection vulnerability".
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2018-01-03T20:00:00
Updated: 2024-08-05T22:00:41.514Z
Reserved: 2018-01-03T00:00:00
Link: CVE-2017-1000472
Vulnrichment
No data.
NVD
Status : Modified
Published: 2018-01-03T20:29:00.487
Modified: 2024-11-21T03:04:48.400
Link: CVE-2017-1000472
Redhat
No data.