SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728
## Overview [github.com/mholt/archiver/cmd/arc](https://github.com/mholt/archiver) is a cross-platform, multi-format archive utility and Go library. Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the `Unarchive` functions. ## Details It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a "../../file.exe" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily. The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicous file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file: ``` +2018-04-15 22:04:29 ..... 19 19 good.txt +2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys ``` ## Remediation Upgrade `github.com/mholt/archiver/cmd/arc` to version 3.3.2 or higher. ## References - [Fix Commit](https://github.com/mholt/archiver/commit/8217ed3a206c0473b4ec1aff51375b398838073a) - [GitHub PR](https://github.com/mholt/archiver/pull/169) - [GitHub PR 2](https://github.com/mholt/archiver/pull/203) - [Zip Slip Advisory](https://github.com/snyk/zip-slip-vulnerability) - [Zip Slip Advisory](https://security.snyk.io/research/zip-slip-vulnerability)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
Timeline
- May 13, 2019 CVE Updated
- May 16, 2019 CVE Published
References
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728 advisory
- https://github.com/mholt/archiver technical
- https://github.com/mholt/archiver/commit/8217ed3a206c0473b4ec1aff51375b398838073a patch
- https://github.com/mholt/archiver/pull/169 patch
- https://github.com/mholt/archiver/pull/203 patch
- https://github.com/snyk/zip-slip-vulnerability technical